On Thu, Apr 06, 2017 at 06:36:43PM +0000, spammewo...@cox.net wrote: > I have created a two way trust between my IDM server and Active Directory. > I have been able to successful get RHEL 7.3 IDM server and RHEL 7.3 IDM > clients to allow Active Directory login using CAC smart cards into Gnome. > I'm using SSSD for the smart card login process instead of authconfig and > pkcs11. I'm currently trying to get the same thing working for RHEL 6.9, > but I have not been able to get it to work. The latest version of SSSD on > RHEL 6.9 is 1.13.3 and from my understanding I need to have at least 1.14.0 > for SSSD to handle AD smart card logins. So, I have tried to configure
The Smartcard authentication feature was backported to RHEL-6.9. Please note that the GDM Smartcard feature must be configured differently in RHEL6 then in RHEL7, details for RHEL-6.9 can e.g. found in https://bugzilla.redhat.com/show_bug.cgi?id=1300421#c13 HTH bye, Sumit > pam_pkcs11.conf file to use the pwent mapper to link the Common Name (CN) to > the Active Directory User account. I have created an User ID Override for > the AD user and added CN name from the Certificate on the smart card into > the GECOS field. I also have added all three certificates from the CAC > smart card into the User ID Override. > > When I try and log in, I get this error message in /var/log/secure: > Apr 6 13:21:57 site-lws05 pam: gdm-smartcard: > pam_pkcs11(gdm-smartcard:auth): pam_get_pwd() failed: Conversation error > Apr 6 13:22:17 site-lws05 pam: gdm-smartcard: > pam_pkcs11(gdm-smartcard:auth): find_user() failed: on cert #1 > Apr 6 13:22:17 site-lws05 pam: gdm-smartcard: > pam_pkcs11(gdm-smartcard:auth): find_user() failed: on cert #2 > Apr 6 13:22:17 site-lws05 pam: gdm-smartcard: > pam_pkcs11(gdm-smartcard:auth): no valid certificate which meets all > requirements found > > Here is the some details: > IDM Domain: idm.domain.local > Windows Domain: domain.local > RHEL 7.3 IDM Server: site-idm01.idm.domain.local > RHEL 6.9 IDM Client : site-lws05.idm.domain.local > > When I run the getent command on local accounts and IDM accounts I get user > details, but when I run the command on AD accounts it doesn't find them. > So, I'm wondering if that's why its not finding the CN name in the GECOS > field. I'm trying to avoid using the cn_map on the clients, because we > have a large amount of users and thats alot of extra work to manage that > file. That's why I wanted to use the pwent mapper. > Here is my SSSD config file from the RHEL 6.9 client: > [domain/idm.domain.local] > override_shell = /bin/bash > debug_level = 9 > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = idm.domain.local > id_provider = ipa > auth_provider = ipa > access_provider = ipa > ipa_hostname = site-lws05.idm.domain.local > chpass_provider = ipa > ipa_server = _srv_, site-idm01.idm.domain.local > ldap_tls_cacert = /etc/ipa/ca.crt > [sssd] > debug_level = 9 > services = nss, sudo, pam, ssh, ifp > domains = idm.domain.local > certificate_verification = no_ocsp > ldap_user_certificate = userCertificate;binary > [nss] > debug_level = 9 > homedir_substring = /home > [pam] > debug_level = 9 > pam_cert_auth = True > [sudo] > debug_level = 9 > [autofs] > debug_level = 9 > [ssh] > debug_level = 9 > [pac] > debug_level = 9 > [ifp] > debug_level = 9 > > Here is my nssswitch file from the RHEL 6.9 client: > # /etc/nsswitch.conf > # > # An example Name Service Switch config file. This file should be > # sorted with the most-used services at the beginning. > # > # The entry '[NOTFOUND=return]' means that the search for an > # entry should stop if the search in the previous entry turned > # up nothing. Note that if the search failed due to some other reason > # (like no NIS server responding) then the search continues with the > # next entry. > # > # Valid entries include: > # > # nisplus Use NIS+ (NIS version 3) > # nis Use NIS (NIS version 2), also called YP > # dns Use DNS (Domain Name Service) > # files Use the local files > # db Use the local database (.db) files > # compat Use NIS on compat mode > # hesiod Use Hesiod for user lookups > # [NOTFOUND=return] Stop searching if not found so far > # > # To use db, put the "db" in front of "files" for entries you want to be > # looked up first in the databases > # > # Example: > #passwd: db files nisplus nis > #shadow: db files nisplus nis > #group: db files nisplus nis > passwd: files sss > shadow: files sss > group: files sss > #hosts: db files nisplus nis dns > hosts: files dns > # Example - obey only what nisplus tells us... > #services: nisplus [NOTFOUND=return] files > #networks: nisplus [NOTFOUND=return] files > #protocols: nisplus [NOTFOUND=return] files > #rpc: nisplus [NOTFOUND=return] files > #ethers: nisplus [NOTFOUND=return] files > #netmasks: nisplus [NOTFOUND=return] files > bootparams: nisplus [NOTFOUND=return] files > ethers: files > netmasks: files > networks: files > protocols: files > rpc: files > services: files sss > netgroup: files sss > publickey: nisplus > automount: files sss > aliases: files nisplus > sudoers: files sss > > Here is my system-auth from the RHEL 6.9 client: > #%PAM-1.0 > # This file is auto-generated. > # User changes will be destroyed the next time authconfig is run. > auth required pam_env.so > auth [success=1 default=ignore] pam_succeed_if.so service notin > login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid > auth [success=done authinfo_unavail=ignore ignore=ignore default=die] > pam_pkcs11.so card_only > auth sufficient pam_fprintd.so > auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >= 500 quiet > auth sufficient pam_sss.so use_first_pass > auth required pam_deny.so > account required pam_unix.so > account sufficient pam_localuser.so > account sufficient pam_succeed_if.so uid < 500 quiet > account [default=bad success=ok user_unknown=ignore] pam_sss.so > account required pam_permit.so > password requisite pam_cracklib.so try_first_pass retry=3 type= > password sufficient pam_unix.so sha512 shadow nullok try_first_pass > use_authtok > password sufficient pam_sss.so use_authtok > password required pam_deny.so > session optional pam_keyinit.so revoke > session required pam_limits.so > session optional pam_oddjob_mkhomedir.so umask=0077 > session [success=1 default=ignore] pam_succeed_if.so service in crond > quiet use_uid > session required pam_unix.so > session optional pam_sss.so > > Here is my password-auth from the RHEL 6.9 client: > #%PAM-1.0 > # This file is auto-generated. > # User changes will be destroyed the next time authconfig is run. > auth required pam_env.so > auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >= 500 quiet > auth sufficient pam_sss.so use_first_pass > auth required pam_deny.so > account required pam_unix.so > account sufficient pam_localuser.so > account sufficient pam_succeed_if.so uid < 500 quiet > account [default=bad success=ok user_unknown=ignore] pam_sss.so > account required pam_permit.so > password requisite pam_cracklib.so try_first_pass retry=3 type= > password sufficient pam_unix.so sha512 shadow nullok try_first_pass > use_authtok > password sufficient pam_sss.so use_authtok > password required pam_deny.so > session optional pam_keyinit.so revoke > session required pam_limits.so > session optional pam_oddjob_mkhomedir.so umask=0077 > session [success=1 default=ignore] pam_succeed_if.so service in crond > quiet use_uid > session required pam_unix.so > session optional pam_sss.so > > Here is my smartcard-auth from the RHEL 6.9 client: > #%PAM-1.0 > # This file is auto-generated. > # User changes will be destroyed the next time authconfig is run. > auth required pam_env.so > auth [success=done ignore=ignore default=die] pam_pkcs11.so > wait_for_card card_only > auth required pam_deny.so > account required pam_unix.so > account sufficient pam_localuser.so > account sufficient pam_succeed_if.so uid < 500 quiet > account [default=bad success=ok user_unknown=ignore] pam_sss.so > account required pam_permit.so > password required pam_pkcs11.so > session optional pam_keyinit.so revoke > session required pam_limits.so > session optional pam_oddjob_mkhomedir.so umask=0077 > session [success=1 default=ignore] pam_succeed_if.so service in crond > quiet use_uid > session required pam_unix.so > session optional pam_sss.so > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project