1. The Certificate On My Yubikey was issued by the IPA server CA, since
it's my domain controller it makes sense to keep it the CA.
2. I don't use mapping rules and matching rules, and I went through a
WHOLE PROCESS to get the 'clientAuth' key on my cert.
3. On my IPA Server it gives 'PKINIT is enabled
The ipa-pkinit-manage command was successful'
On 1/25/23 23:07, Florence Blanc-Renaud wrote:
Hi,
On Wed, Jan 25, 2023 at 10:04 PM r0nam1 via FreeIPA-users
<freeipa-users@lists.fedorahosted.org> wrote:
Noted, I'll hit 'reply-all' from now on.
Looking over those links you sent me, I've decided to:
- Ran 'ipa user-show $user' and verified the certificate returned
- Ran 'ipa certmap-match cert.pem' on an extracted certificate
that is also on the SmartCard, it returned my user.
- Ran 'kinit' and it reacted to my smartcard being present, asking
for a PIN along with my username being displayed, giving the
default pin of '123456' it returned an error I haven't been able
to decipher yet:
'*kinit: KDC policy rejects request while getting initial
credentials*'
I think this is the current blocking point in the authentication
process, any ideas what it fully means? My google-fu has failed me
here.
There are a few additional things to check.
1. Was the certificate on your smart card issued by IPA CA or by a
different CA? If it was issued by a different CA, this CA must be
trusted and this is achieved by running the preparation steps for the
server:
kinit admin
ipa-advise config-server-for-smart-card-auth >
config-server-for-smart-card-auth.sh
chmod +x config-server-for-smart-card-auth.sh
./config-server-for-smart-card-auth.sh issuingca.pem
Do not forget to execute ipa-certupdate on all IPA machines (server,
replica, clients).
2. If you don't use mapping rules and matching rules, the default
applies and SSSD ensures that the certificate from the smart card
contains the Extended Key Usage “clientAuth”. Does you certificate
have this EKU?
3. Is the ipa server properly configured for pkinit? What is the output of
ipa-pkinit-manage status
flo
On 1/25/23 12:39, Rob Crittenden wrote:
r0nam1 wrote:
So far it's a lot of 'I thinks'. I think I've configured OpenSC and
pcscd correctly, I think I've configured SSSD correctly, and I think
I've configured PAM correctly, if you can give me a list of relevant
logs or test commands (Even full directory's of logs) I'll do what I can.
Please keep responses on the list.
The log to see depends on the behavior.
Some additional readings (some are rather old but still relevant):
https://floblanc.wordpress.com/?s=smart
https://frasertweedale.github.io/blog-redhat/posts/2016-08-12-yubikey-sc-login.html
rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
