Am Wed, Jun 28, 2023 at 08:03:58AM +0200 schrieb Francis Augusto Medeiros-Logeay via FreeIPA-users: > > > > On 28 Jun 2023, at 07:50, Sumit Bose via FreeIPA-users > > <freeipa-users@lists.fedorahosted.org> wrote: > > > > Am Wed, Jun 28, 2023 at 07:23:58AM +0200 schrieb Francis Augusto > > Medeiros-Logeay: > >> > >> > >>> On 23 Jun 2023, at 10:52, Sumit Bose via FreeIPA-users > >>> <freeipa-users@lists.fedorahosted.org> wrote: > >>> > >>> Am Fri, Jun 23, 2023 at 09:03:55AM +0200 schrieb Francis Augusto > >>> Medeiros-Logeay via FreeIPA-users: > >>>> > >>>> > >>>>> On 22 Jun 2023, at 14:48, Rob Crittenden via FreeIPA-users > >>>>> <freeipa-users@lists.fedorahosted.org> wrote: > >>>>> > >>>>> Francis Augusto Medeiros-Logeay via FreeIPA-users wrote: > >>>>>> Hi, > >>>>>> > >>>>>> We have an application that requires Active Directory. In order to > >>>>>> provide SSO, the application gets a user certificate from AD and, as I > >>>>>> understand, uses it towards a RHEL machine as a smart card. I installed > >>>>>> AD's ca certificates on the RHEL client and it works when sssd.conf is > >>>>>> all configured towards AD. > >>>>>> > >>>>>> I've joined the client to AD, as I said, but I do want my `id_provider` > >>>>>> in `sssd.conf` to be `ldap` so that it gets my group info from FreeIPA. > >>>>>> But when I do this, the authentication doesn't work. > >>>>>> > >>>>>> Is there a way to either force pam/sssd to check the certificates > >>>>>> against AD while still getting groups and names from ldap, or to get > >>>>>> FreeIPA to approve the certificates? > >>>>>> > >>>>>> I know this might be a very corner case, but if we make it works, this > >>>>>> would be beautiful. > >>>>> > >>>> > >>>> Thanks Rob! > >>>> > >>>>> IMHO you should cross-post this to the SSSD users list as this seems > >>>>> more their area, > >>>>> https://lists.fedorahosted.org/archives/list/sssd-us...@lists.fedorahosted.org/ > >>>> > >>>> I posted it there first, tbh, but got no reply. > >>>> > >>>>> I think expanding on your configuration would help too. Are you using > >>>>> the IPA certificate mapping to map the AD-issued certificates to an IPA > >>>>> user for authentication? > >>>> > >>>> No. The users are the same on both - same uid, gid, etc, but no > >>>> connection, trust, or anything. > >>>> The mapping on sssd.conf is this one: > >>>> > >>>> [certmap/mydomain.com/truesso] #Add this section and > >>>> following lines to set match and map rule for certificate user > >>>> matchrule = <EKU>msScLogin > >>>> maprule = > >>>> (|(userPrincipal={subject_principal})(samAccountName={subject_principal.short_name})) > >>>> domains = mydomain.com > >>>> priority = 10 > >>>> > >>>> When id_provider = ad, it works, but not when it is `ldap`. But the > >>>> users, in principle, are the same. Could it be those attributes that are > >>>> wrong? > >>> > >>> Hi, > >>> > >>> with 'id_provider = ad' the 'auth_provider' will be 'ad' as well, which > >>> is basically 'auth_provider = krb5' and Smartcard authentication is done > >>> the Kerberos way. With 'id_provider = ldap' the 'auth_provider' will be > >>> 'ldap' as well, so you might have to explicitly add 'auth_provider = > >>> krb5' > >>> > >>> Additionally, the 'maprule' is looking for LDAP attributes, so you IPA > >>> user must at least have the 'userPrincipal' attribute set with the > >>> principal which is stored in the subject alternative names of the > >>> certificate. > >>> > >>> Feel free to add 'debug_level = 9' to the [pam] and [domain/...] > >>> sections of sssd.conf, restart SSSD, try again and send the SSSD logs > >>> here. > >>> > >>> bye, > >>> Sumit > >> > >> > >> Hi Sumit, > >> > >> It fails on RHEL 9, though - before I was doing it on RHEL 9. > >> > >> I get this: > >> > >> Jun 28 07:21:09 sso-rhel-test krb5_child[3447]: Pre-authentication failed: > >> Preauthentication failed > >> Jun 28 07:21:09 sso-rhel-test desktopWorker[2796]: > >> pam_sss(gdm-password:auth): authentication failure; logname= uid=0 euid=0 > >> tty= ruser= rhost= user=francis > >> Jun 28 07:21:09 sso-rhel-test krb5_child[3447]: Pre-authentication failed: > >> Preauthentication failed > >> Jun 28 07:21:09 sso-rhel-test desktopWorker[2796]: > >> pam_sss(gdm-password:auth): received for user francis: 7 (Authentication > >> failure) > >> Jun 28 07:21:09 sso-rhel-test desktopWorker[2796]: gkr-pam: unable to > >> locate daemon control file > >> Jun 28 07:21:09 sso-rhel-test desktopWorker[2796]: gkr-pam: stashed > >> password to try later in open ses > >> > >> Exact same configuration. Neither password nor certificate works, though > >> password works on ssh. > >> > >> Any tips here? > > > > Hi, > > > > this might be related to > > https://bugzilla.redhat.com/show_bug.cgi?id=2214300 > > (https://bugzilla.redhat.com/show_bug.cgi?id=2155607 is the > > corresponding RHEL-9 ticket, but this is mostly private). Does it work > > any better if you set > > > > update-crypto-policies --set LEGACY:AD-SUPPORT-LEGACY > > > > bye, > > Sumit > > > > Not really. I get this: > > Jun 28 08:02:00 sso-rhel-test krb5_child[3019]: Pre-authentication failed: > Preauthentication failed > Jun 28 08:02:00 sso-rhel-test krb5_child[3019]: Pre-authentication failed: > Preauthentication failed > Jun 28 08:02:00 sso-rhel-test desktopWorker[2835]: pam_sss(gdm-vmwcred:auth): > authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=francis > Jun 28 08:02:00 sso-rhel-test desktopWorker[2835]: pam_sss(gdm-vmwcred:auth): > received for user francis: 7 (Authentication failure) > Jun 28 08:02:01 sso-rhel-test krb5_child[3083]: Cannot read password > Jun 28 08:02:01 sso-rhel-test krb5_child[3083]: Cannot read password > Jun 28 08:02:01 sso-rhel-test desktopWorker[2835]: pam_sss(gdm-vmwcred:auth): > authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=francis > Jun 28 08:02:01 sso-rhel-test desktopWorker[2835]: pam_sss(gdm-vmwcred:auth): > received for user francis: 15 (Authentication service cannot retrieve user > credentials) > Jun 28 08:02:01 sso-rhel-test desktopWorker[2835]: gkr-pam: unable to locate > daemon control file > Jun 28 08:02:01 sso-rhel-test desktopWorker[2835]: gkr-pam: stashed password > to try later in open session > Jun 28 08:02:10 sso-rhel-test krb5_child[3112]: Pre-authentication failed: > Preauthentication failed > Jun 28 08:02:10 sso-rhel-test krb5_child[3112]: Pre-authentication failed: > Preauthentication failed > Jun 28 08:02:10 sso-rhel-test desktopWorker[2835]: > pam_sss(gdm-password:auth): authentication failure; logname= uid=0 euid=0 > tty= ruser= rhost= user=francis > Jun 28 08:02:10 sso-rhel-test desktopWorker[2835]: > pam_sss(gdm-password:auth): received for user francis: 7 (Authentication > failure) > Jun 28 08:02:10 sso-rhel-test desktopWorker[2835]: gkr-pam: unable to locate > daemon control file
Hi, can you set 'debug_level = 9' in the [pam] and [domain/...] sections of sssd.conf, restart SSSD, try to authenticate again and send all the logs from /var/log/sssd? bye, Sumit > > Best, > > Francis > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
