Yes: Package krb5-pkinit-1.20.1-8.el9.x86_64 is already installed. Dependencies resolved. Nothing to do. Complete!
Best, Francis > On 28 Jun 2023, at 08:03, Francis Augusto Medeiros-Logeay via FreeIPA-users > <freeipa-users@lists.fedorahosted.org> wrote: > > > >> On 28 Jun 2023, at 07:50, Sumit Bose via FreeIPA-users >> <freeipa-users@lists.fedorahosted.org> wrote: >> >> Am Wed, Jun 28, 2023 at 07:23:58AM +0200 schrieb Francis Augusto >> Medeiros-Logeay: >>> >>> >>>> On 23 Jun 2023, at 10:52, Sumit Bose via FreeIPA-users >>>> <freeipa-users@lists.fedorahosted.org> wrote: >>>> >>>> Am Fri, Jun 23, 2023 at 09:03:55AM +0200 schrieb Francis Augusto >>>> Medeiros-Logeay via FreeIPA-users: >>>>> >>>>> >>>>>> On 22 Jun 2023, at 14:48, Rob Crittenden via FreeIPA-users >>>>>> <freeipa-users@lists.fedorahosted.org> wrote: >>>>>> >>>>>> Francis Augusto Medeiros-Logeay via FreeIPA-users wrote: >>>>>>> Hi, >>>>>>> >>>>>>> We have an application that requires Active Directory. In order to >>>>>>> provide SSO, the application gets a user certificate from AD and, as I >>>>>>> understand, uses it towards a RHEL machine as a smart card. I installed >>>>>>> AD's ca certificates on the RHEL client and it works when sssd.conf is >>>>>>> all configured towards AD. >>>>>>> >>>>>>> I've joined the client to AD, as I said, but I do want my `id_provider` >>>>>>> in `sssd.conf` to be `ldap` so that it gets my group info from FreeIPA. >>>>>>> But when I do this, the authentication doesn't work. >>>>>>> >>>>>>> Is there a way to either force pam/sssd to check the certificates >>>>>>> against AD while still getting groups and names from ldap, or to get >>>>>>> FreeIPA to approve the certificates? >>>>>>> >>>>>>> I know this might be a very corner case, but if we make it works, this >>>>>>> would be beautiful. >>>>>> >>>>> >>>>> Thanks Rob! >>>>> >>>>>> IMHO you should cross-post this to the SSSD users list as this seems >>>>>> more their area, >>>>>> https://lists.fedorahosted.org/archives/list/sssd-us...@lists.fedorahosted.org/ >>>>> >>>>> I posted it there first, tbh, but got no reply. >>>>> >>>>>> I think expanding on your configuration would help too. Are you using >>>>>> the IPA certificate mapping to map the AD-issued certificates to an IPA >>>>>> user for authentication? >>>>> >>>>> No. The users are the same on both - same uid, gid, etc, but no >>>>> connection, trust, or anything. >>>>> The mapping on sssd.conf is this one: >>>>> >>>>> [certmap/mydomain.com/truesso] #Add this section and >>>>> following lines to set match and map rule for certificate user >>>>> matchrule = <EKU>msScLogin >>>>> maprule = >>>>> (|(userPrincipal={subject_principal})(samAccountName={subject_principal.short_name})) >>>>> domains = mydomain.com >>>>> priority = 10 >>>>> >>>>> When id_provider = ad, it works, but not when it is `ldap`. But the >>>>> users, in principle, are the same. Could it be those attributes that are >>>>> wrong? >>>> >>>> Hi, >>>> >>>> with 'id_provider = ad' the 'auth_provider' will be 'ad' as well, which >>>> is basically 'auth_provider = krb5' and Smartcard authentication is done >>>> the Kerberos way. With 'id_provider = ldap' the 'auth_provider' will be >>>> 'ldap' as well, so you might have to explicitly add 'auth_provider = >>>> krb5' >>>> >>>> Additionally, the 'maprule' is looking for LDAP attributes, so you IPA >>>> user must at least have the 'userPrincipal' attribute set with the >>>> principal which is stored in the subject alternative names of the >>>> certificate. >>>> >>>> Feel free to add 'debug_level = 9' to the [pam] and [domain/...] >>>> sections of sssd.conf, restart SSSD, try again and send the SSSD logs >>>> here. >>>> >>>> bye, >>>> Sumit >>> >>> >>> Hi Sumit, >>> >>> It fails on RHEL 9, though - before I was doing it on RHEL 9. >>> >>> I get this: >>> >>> Jun 28 07:21:09 sso-rhel-test krb5_child[3447]: Pre-authentication failed: >>> Preauthentication failed >>> Jun 28 07:21:09 sso-rhel-test desktopWorker[2796]: >>> pam_sss(gdm-password:auth): authentication failure; logname= uid=0 euid=0 >>> tty= ruser= rhost= user=francis >>> Jun 28 07:21:09 sso-rhel-test krb5_child[3447]: Pre-authentication failed: >>> Preauthentication failed >>> Jun 28 07:21:09 sso-rhel-test desktopWorker[2796]: >>> pam_sss(gdm-password:auth): received for user francis: 7 (Authentication >>> failure) >>> Jun 28 07:21:09 sso-rhel-test desktopWorker[2796]: gkr-pam: unable to >>> locate daemon control file >>> Jun 28 07:21:09 sso-rhel-test desktopWorker[2796]: gkr-pam: stashed >>> password to try later in open ses >>> >>> Exact same configuration. Neither password nor certificate works, though >>> password works on ssh. >>> >>> Any tips here? >> >> Hi, >> >> this might be related to >> https://bugzilla.redhat.com/show_bug.cgi?id=2214300 >> (https://bugzilla.redhat.com/show_bug.cgi?id=2155607 is the >> corresponding RHEL-9 ticket, but this is mostly private). Does it work >> any better if you set >> >> update-crypto-policies --set LEGACY:AD-SUPPORT-LEGACY >> >> bye, >> Sumit >> > > Not really. I get this: > > Jun 28 08:02:00 sso-rhel-test krb5_child[3019]: Pre-authentication failed: > Preauthentication failed > Jun 28 08:02:00 sso-rhel-test krb5_child[3019]: Pre-authentication failed: > Preauthentication failed > Jun 28 08:02:00 sso-rhel-test desktopWorker[2835]: pam_sss(gdm-vmwcred:auth): > authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=francis > Jun 28 08:02:00 sso-rhel-test desktopWorker[2835]: pam_sss(gdm-vmwcred:auth): > received for user francis: 7 (Authentication failure) > Jun 28 08:02:01 sso-rhel-test krb5_child[3083]: Cannot read password > Jun 28 08:02:01 sso-rhel-test krb5_child[3083]: Cannot read password > Jun 28 08:02:01 sso-rhel-test desktopWorker[2835]: pam_sss(gdm-vmwcred:auth): > authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=francis > Jun 28 08:02:01 sso-rhel-test desktopWorker[2835]: pam_sss(gdm-vmwcred:auth): > received for user francis: 15 (Authentication service cannot retrieve user > credentials) > Jun 28 08:02:01 sso-rhel-test desktopWorker[2835]: gkr-pam: unable to locate > daemon control file > Jun 28 08:02:01 sso-rhel-test desktopWorker[2835]: gkr-pam: stashed password > to try later in open session > Jun 28 08:02:10 sso-rhel-test krb5_child[3112]: Pre-authentication failed: > Preauthentication failed > Jun 28 08:02:10 sso-rhel-test krb5_child[3112]: Pre-authentication failed: > Preauthentication failed > Jun 28 08:02:10 sso-rhel-test desktopWorker[2835]: > pam_sss(gdm-password:auth): authentication failure; logname= uid=0 euid=0 > tty= ruser= rhost= user=francis > Jun 28 08:02:10 sso-rhel-test desktopWorker[2835]: > pam_sss(gdm-password:auth): received for user francis: 7 (Authentication > failure) > Jun 28 08:02:10 sso-rhel-test desktopWorker[2835]: gkr-pam: unable to locate > daemon control file > > Best, > > Francis > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
