Hi Sumit, > On 23 Jun 2023, at 10:52, Sumit Bose via FreeIPA-users > <freeipa-users@lists.fedorahosted.org> wrote: > >> >> No. The users are the same on both - same uid, gid, etc, but no connection, >> trust, or anything. >> The mapping on sssd.conf is this one: >> >> [certmap/mydomain.com/truesso] #Add this section and >> following lines to set match and map rule for certificate user >> matchrule = <EKU>msScLogin >> maprule = >> (|(userPrincipal={subject_principal})(samAccountName={subject_principal.short_name})) >> domains = mydomain.com >> priority = 10 >> >> When id_provider = ad, it works, but not when it is `ldap`. But the users, >> in principle, are the same. Could it be those attributes that are wrong? > > Hi, > > with 'id_provider = ad' the 'auth_provider' will be 'ad' as well, which > is basically 'auth_provider = krb5' and Smartcard authentication is done > the Kerberos way. With 'id_provider = ldap' the 'auth_provider' will be > 'ldap' as well, so you might have to explicitly add 'auth_provider = > krb5' > > Additionally, the 'maprule' is looking for LDAP attributes, so you IPA > user must at least have the 'userPrincipal' attribute set with the > principal which is stored in the subject alternative names of the > certificate. > > Feel free to add 'debug_level = 9' to the [pam] and [domain/...] > sections of sssd.conf, restart SSSD, try again and send the SSSD logs > here. > > bye, > Sumit
What happens is that when I have the sssd.conf configured like this: [domain/MYDOMAIN.NO] ad_site = dc.mydomain.no ad_domain = mydomain.no id_provider = ad access_provider = ad #auth_provider = krb5 It works with certificates and passwords. When I change it to this: [domain/MYDOMAIN.NO] ad_site = dc.mydomain.no ad_domain = mydomain.no id_provider = ldap access_provider = ad auth_provider = krb5 ldap_user_principal = userPrincipalName ldap_uri = ldaps://ldap.mydomain.no ldap_default_bind_dn = cn=pam-common,cn=services,dc=mydomain,dc=no ldap_default_authtok = not-so-secret ldap_search_base = cn=system,dc=mydomain,dc=no ldap_netgroup_search_base = cn=netgroups,cn=system,dc=mydomain,dc=no ldap_group_search_base = cn=filegroups,cn=system,dc=mydomain,dc=no ldap_user_home_directory = homeDirectory It doesn’t work. Even the password doesn’t work, which is weird. The rest of the sssd.conf is this: krb5_realm = MYDOMAIN.NO # how long including renewals may a ticket be valid for krb5_renewable_lifetime = 14d # time in seconds between checking if a ticket must be renewed krb5_renew_interval = 3600 # template used for placing kerberos tickets by default ad_gpo_map_interactive = +gdm-vmwcred #use_fully_qualified_names = False krb5_store_password_if_offline = True [pam] pam_cert_auth = True pam_p11_allowed_services = +gdm-vmwcred debug_level = 9 [certmap/mydomain.no/truesso] matchrule = <EKU>msScLogin maprule = (|(userPrincipalName={subject_principal})(uid={subject_principal.short_name})) domains = mydomain.no priority = 10 debug_level = 9 Do you see anything that clearly can be the problem? The error I get is this one: Jun 27 12:58:33 localhost.localdomain org.a11y.Bus[6510]: SpiRegistry daemon is running with well-known name - org.a11y.atspi.Registry Jun 27 12:58:34 localhost.localdomain krb5_child[6617]: Pre-authentication failed: Cannot read password Jun 27 12:58:34 localhost.localdomain desktopWorker[5838]: pam_sss(gdm-vmwcred:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost= user=francis Best, Francis _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue