On Tue, Jun 04, 2019 at 09:54:45AM -0400, Robbie Harwood via FreeIPA-users wrote: > Khurrum Maqb via FreeIPA-users <freeipa-users@lists.fedorahosted.org> > writes: > > > That worked! Thanks so much! I can login and successfully receive a > > kerberos ticket when using a smartcard to login. > > I also added the following to /etc/krb5.conf to match only a single cert > > for pkinit > > > > pkinit_cert_match = &&<EKU>msScLogin,clientAuth<KU>digitalSignature > > > > I am now down to 15 seconds for logins (which is better than the 30-50 > > seconds) which is still on the slow side but I think the reason might > > be the 4 valid and 5 expired certs on the card. I'm guessing it might > > be looping through all the certs which is adding all this extra > > time. Just off the top of your head, do you know if there is a krb and > > p11 config somewhere that would allow me to limit desktop/client > > device logins to using only slot 01 on the card and ignore the rest? > > krb5 lets you specify this on a global basis in the configuration file, > but it doesn't sound like what you want. (See the penultimate section > of "Specifying PKINIT identity information" in krb5.conf(5).)
On the SSSD side, which is responsible for the login, you can use the p11_uri option with recent version. If there is an entry of p11_uri in man sssd.conf your platform should already support this and it can be used. HTH bye, Sumit > > Thanks, > --Robbie > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org