On Чт, 26 янв 2023, r0nam1 via FreeIPA-users wrote:
Note: When you need to use PKINIT, set it as a default authentication
type, that's why it kept failing :|
Actually, it is enough to enable it in the user account, not as a
default one. I'd recommend not enabling it globally if all accounts
wouldn't be using PKINIT.
Same applies to other authentication types.
On 1/26/23 07:54, r0nam1 wrote:
1. The Certificate On My Yubikey was issued by the IPA server CA,
since it's my domain controller it makes sense to keep it the CA.
2. I don't use mapping rules and matching rules, and I went through
a WHOLE PROCESS to get the 'clientAuth' key on my cert.
3. On my IPA Server it gives 'PKINIT is enabled
The ipa-pkinit-manage command was successful'
On 1/25/23 23:07, Florence Blanc-Renaud wrote:
Hi,
On Wed, Jan 25, 2023 at 10:04 PM r0nam1 via FreeIPA-users
<freeipa-users@lists.fedorahosted.org> wrote:
Noted, I'll hit 'reply-all' from now on.
Looking over those links you sent me, I've decided to:
- Ran 'ipa user-show $user' and verified the certificate returned
- Ran 'ipa certmap-match cert.pem' on an extracted certificate
that is also on the SmartCard, it returned my user.
- Ran 'kinit' and it reacted to my smartcard being present,
asking for a PIN along with my username being displayed, giving
the default pin of '123456' it returned an error I haven't been
able to decipher yet:
'*kinit: KDC policy rejects request while getting initial
credentials*'
I think this is the current blocking point in the authentication
process, any ideas what it fully means? My google-fu has failed
me here.
There are a few additional things to check.
1. Was the certificate on your smart card issued by IPA CA or by a
different CA? If it was issued by a different CA, this CA must be
trusted and this is achieved by running the preparation steps for
the server:
kinit admin
ipa-advise config-server-for-smart-card-auth >
config-server-for-smart-card-auth.sh
chmod +x config-server-for-smart-card-auth.sh
./config-server-for-smart-card-auth.sh issuingca.pem
Do not forget to execute ipa-certupdate on all IPA machines
(server, replica, clients).
2. If you don't use mapping rules and matching rules, the default
applies and SSSD ensures that the certificate from the smart card
contains the Extended Key Usage “clientAuth”. Does you certificate
have this EKU?
3. Is the ipa server properly configured for pkinit? What is the
output of
ipa-pkinit-manage status
flo
On 1/25/23 12:39, Rob Crittenden wrote:
r0nam1 wrote:
So far it's a lot of 'I thinks'. I think I've configured OpenSC and
pcscd correctly, I think I've configured SSSD correctly, and I think
I've configured PAM correctly, if you can give me a list of relevant
logs or test commands (Even full directory's of logs) I'll do what I can.
Please keep responses on the list.
The log to see depends on the behavior.
Some additional readings (some are rather old but still relevant):
https://floblanc.wordpress.com/?s=smart
https://frasertweedale.github.io/blog-redhat/posts/2016-08-12-yubikey-sc-login.html
rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
