> On 28 Jun 2023, at 07:50, Sumit Bose via FreeIPA-users > <freeipa-users@lists.fedorahosted.org> wrote: > > Am Wed, Jun 28, 2023 at 07:23:58AM +0200 schrieb Francis Augusto > Medeiros-Logeay: >> >> >>> On 23 Jun 2023, at 10:52, Sumit Bose via FreeIPA-users >>> <freeipa-users@lists.fedorahosted.org> wrote: >>> >>> Am Fri, Jun 23, 2023 at 09:03:55AM +0200 schrieb Francis Augusto >>> Medeiros-Logeay via FreeIPA-users: >>>> >>>> >>>>> On 22 Jun 2023, at 14:48, Rob Crittenden via FreeIPA-users >>>>> <freeipa-users@lists.fedorahosted.org> wrote: >>>>> >>>>> Francis Augusto Medeiros-Logeay via FreeIPA-users wrote: >>>>>> Hi, >>>>>> >>>>>> We have an application that requires Active Directory. In order to >>>>>> provide SSO, the application gets a user certificate from AD and, as I >>>>>> understand, uses it towards a RHEL machine as a smart card. I installed >>>>>> AD's ca certificates on the RHEL client and it works when sssd.conf is >>>>>> all configured towards AD. >>>>>> >>>>>> I've joined the client to AD, as I said, but I do want my `id_provider` >>>>>> in `sssd.conf` to be `ldap` so that it gets my group info from FreeIPA. >>>>>> But when I do this, the authentication doesn't work. >>>>>> >>>>>> Is there a way to either force pam/sssd to check the certificates >>>>>> against AD while still getting groups and names from ldap, or to get >>>>>> FreeIPA to approve the certificates? >>>>>> >>>>>> I know this might be a very corner case, but if we make it works, this >>>>>> would be beautiful. >>>>> >>>> >>>> Thanks Rob! >>>> >>>>> IMHO you should cross-post this to the SSSD users list as this seems >>>>> more their area, >>>>> https://lists.fedorahosted.org/archives/list/sssd-us...@lists.fedorahosted.org/ >>>> >>>> I posted it there first, tbh, but got no reply. >>>> >>>>> I think expanding on your configuration would help too. Are you using >>>>> the IPA certificate mapping to map the AD-issued certificates to an IPA >>>>> user for authentication? >>>> >>>> No. The users are the same on both - same uid, gid, etc, but no >>>> connection, trust, or anything. >>>> The mapping on sssd.conf is this one: >>>> >>>> [certmap/mydomain.com/truesso] #Add this section and >>>> following lines to set match and map rule for certificate user >>>> matchrule = <EKU>msScLogin >>>> maprule = >>>> (|(userPrincipal={subject_principal})(samAccountName={subject_principal.short_name})) >>>> domains = mydomain.com >>>> priority = 10 >>>> >>>> When id_provider = ad, it works, but not when it is `ldap`. But the users, >>>> in principle, are the same. Could it be those attributes that are wrong? >>> >>> Hi, >>> >>> with 'id_provider = ad' the 'auth_provider' will be 'ad' as well, which >>> is basically 'auth_provider = krb5' and Smartcard authentication is done >>> the Kerberos way. With 'id_provider = ldap' the 'auth_provider' will be >>> 'ldap' as well, so you might have to explicitly add 'auth_provider = >>> krb5' >>> >>> Additionally, the 'maprule' is looking for LDAP attributes, so you IPA >>> user must at least have the 'userPrincipal' attribute set with the >>> principal which is stored in the subject alternative names of the >>> certificate. >>> >>> Feel free to add 'debug_level = 9' to the [pam] and [domain/...] >>> sections of sssd.conf, restart SSSD, try again and send the SSSD logs >>> here. >>> >>> bye, >>> Sumit >> >> >> Hi Sumit, >> >> It fails on RHEL 9, though - before I was doing it on RHEL 9. >> >> I get this: >> >> Jun 28 07:21:09 sso-rhel-test krb5_child[3447]: Pre-authentication failed: >> Preauthentication failed >> Jun 28 07:21:09 sso-rhel-test desktopWorker[2796]: >> pam_sss(gdm-password:auth): authentication failure; logname= uid=0 euid=0 >> tty= ruser= rhost= user=francis >> Jun 28 07:21:09 sso-rhel-test krb5_child[3447]: Pre-authentication failed: >> Preauthentication failed >> Jun 28 07:21:09 sso-rhel-test desktopWorker[2796]: >> pam_sss(gdm-password:auth): received for user francis: 7 (Authentication >> failure) >> Jun 28 07:21:09 sso-rhel-test desktopWorker[2796]: gkr-pam: unable to locate >> daemon control file >> Jun 28 07:21:09 sso-rhel-test desktopWorker[2796]: gkr-pam: stashed password >> to try later in open ses >> >> Exact same configuration. Neither password nor certificate works, though >> password works on ssh. >> >> Any tips here? > > Hi, > > this might be related to > https://bugzilla.redhat.com/show_bug.cgi?id=2214300 > (https://bugzilla.redhat.com/show_bug.cgi?id=2155607 is the > corresponding RHEL-9 ticket, but this is mostly private). Does it work > any better if you set > > update-crypto-policies --set LEGACY:AD-SUPPORT-LEGACY > > bye, > Sumit >
Not really. I get this: Jun 28 08:02:00 sso-rhel-test krb5_child[3019]: Pre-authentication failed: Preauthentication failed Jun 28 08:02:00 sso-rhel-test krb5_child[3019]: Pre-authentication failed: Preauthentication failed Jun 28 08:02:00 sso-rhel-test desktopWorker[2835]: pam_sss(gdm-vmwcred:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=francis Jun 28 08:02:00 sso-rhel-test desktopWorker[2835]: pam_sss(gdm-vmwcred:auth): received for user francis: 7 (Authentication failure) Jun 28 08:02:01 sso-rhel-test krb5_child[3083]: Cannot read password Jun 28 08:02:01 sso-rhel-test krb5_child[3083]: Cannot read password Jun 28 08:02:01 sso-rhel-test desktopWorker[2835]: pam_sss(gdm-vmwcred:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=francis Jun 28 08:02:01 sso-rhel-test desktopWorker[2835]: pam_sss(gdm-vmwcred:auth): received for user francis: 15 (Authentication service cannot retrieve user credentials) Jun 28 08:02:01 sso-rhel-test desktopWorker[2835]: gkr-pam: unable to locate daemon control file Jun 28 08:02:01 sso-rhel-test desktopWorker[2835]: gkr-pam: stashed password to try later in open session Jun 28 08:02:10 sso-rhel-test krb5_child[3112]: Pre-authentication failed: Preauthentication failed Jun 28 08:02:10 sso-rhel-test krb5_child[3112]: Pre-authentication failed: Preauthentication failed Jun 28 08:02:10 sso-rhel-test desktopWorker[2835]: pam_sss(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=francis Jun 28 08:02:10 sso-rhel-test desktopWorker[2835]: pam_sss(gdm-password:auth): received for user francis: 7 (Authentication failure) Jun 28 08:02:10 sso-rhel-test desktopWorker[2835]: gkr-pam: unable to locate daemon control file Best, Francis _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue