On Tue, Apr 11, 2017 at 04:24:51PM +0000, spammewo...@cox.net wrote: > I made the changes in this Bugzilla report and its still failing. When I > click on Smartcard Authenication on the GDM login screen, I get the error > message "Authentication failure". It looks like this Bugzilla was for IDM > users using smart cards. I'm trying to use Active Directory Users and > smart cards.
Using IdM or AD shouldn't make a difference here. Did you change /etc/pam.d/smartcart-auth according to comment #8 (similar changes are needed on RHEL7 as well)? Please send the full SSSD logs, especially sssd_pam.log, with debug_level=10 and /var/log/secure. Feel free to send them to me directly if you do not want to share them on the list. bye, Sumit > > Here is my error log from /var/log/sssd/p11_child.log > (Tue Apr 11 11:24:45 2017) [[sssd[p11_child[14893]]]] [main] (0x0400): > p11_child started. > (Tue Apr 11 11:24:45 2017) [[sssd[p11_child[14893]]]] [main] (0x2000): > Running in [pre-auth] mode. > (Tue Apr 11 11:24:45 2017) [[sssd[p11_child[14893]]]] [main] (0x2000): > Running with effective IDs: [0][0]. > (Tue Apr 11 11:24:45 2017) [[sssd[p11_child[14893]]]] [main] (0x2000): > Running with real IDs [0][0]. > (Tue Apr 11 11:24:45 2017) [[sssd[p11_child[14893]]]] > [parse_cert_verify_opts] (0x4000): Found 'no_ocsp' option, disabling OCSP. > (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] (0x4000): > Default Module List: > (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] (0x4000): > common name: [NSS Internal PKCS #11 Module]. > (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] (0x4000): > dll name: [(null)]. > (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] (0x4000): > common name: [CoolKey PKCS #11 Module]. > (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] (0x4000): > dll name: [libcoolkeypk11.so]. > (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] (0x4000): > Dead Module List: > (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] (0x4000): DB > Module List: > (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] (0x4000): > common name: [NSS Internal Module]. > (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] (0x4000): > dll name: [(null)]. > (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] (0x4000): > common name: [Policy File]. > (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] (0x4000): > dll name: [(null)]. > (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] (0x4000): > Description [NSS User Private Key and Certificate Services Mozilla > Foundation ] Manufacturer [Mozilla Foundation ] flags [1]. > (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] (0x4000): > Description [NSS Internal Cryptographic Services Mozilla Foundation > ] Manufacturer [Mozilla Foundation ] flags [1]. > (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] (0x4000): > Description [SCM SCR 3310 00 00 Unknown ] > Manufacturer [Unknown ] flags [7]. > (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] (0x4000): > Found [SMITH.RYAN.123456] in slot [SCM SCR 3310 00 00][1] of module [2]. > (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] (0x4000): > Token is NOT friendly. > (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] (0x4000): > Trying to switch to friendly to read certificate. > (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] (0x4000): > Login required. > (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] (0x0020): > Login required but no pin available, continue. > (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] (0x4000): > found cert[SMITH.RYAN.123456:PIV ID > Certificate][CN=SMITH.RYAN.123456,OU=WORKER,OU=PKI,OU=HOME] > (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] (0x4000): > found cert[SMITH.RYAN.123456:PIV Email Signature > Certificate][CN=SMITH.RYAN.123456,OU=WORKER,OU=PKI,OU=HOME] > (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] (0x4000): > found cert[SMITH.RYAN.123456:PIV Email Encryption > Certificate][CN=SMITH.RYAN.123456,OU=WORKER,OU=PKI,OU=HOME] > (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] (0x4000): > Filtered certificates: > (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] (0x4000): > found cert[SMITH.RYAN.123456:PIV ID > Certificate][CN=SMITH.RYAN.123456,OU=WORKER,OU=PKI,OU=HOME] > (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] (0x4000): > found cert[SMITH.RYAN.123456:PIV Email Signature > Certificate][CN=SMITH.RYAN.123456,OU=WORKER,OU=PKI,OU=HOME] > (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] (0x4000): > More than one certificate found, using just the first one. > > > On Fri, Apr 7, 2017 at 4:35 AM, Sumit Bose wrote: > > > On Thu, Apr 06, 2017 at 06:36:43PM +0000, spammewo...@cox.net wrote: > > > I have created a two way trust between my IDM server and Active > > > Directory. > > > I have been able to successful get RHEL 7.3 IDM server and RHEL 7.3 > > > IDM > > > clients to allow Active Directory login using CAC smart cards into > > > Gnome. > > > I'm using SSSD for the smart card login process instead of > > > authconfig and > > > pkcs11. I'm currently trying to get the same thing working for > > > RHEL 6.9, > > > but I have not been able to get it to work. The latest version of > > > SSSD on > > > RHEL 6.9 is 1.13.3 and from my understanding I need to have at least > > > 1.14.0 > > > for SSSD to handle AD smart card logins. So, I have tried to > > > configure > > > > The Smartcard authentication feature was backported to RHEL-6.9. > > > > Please note that the GDM Smartcard feature must be configured > > differently in RHEL6 then in RHEL7, details for RHEL-6.9 can e.g. found > > in https://bugzilla.redhat.com/show_bug.cgi?id=1300421#c13 > > > > HTH > > > > bye, > > Sumit > > > > > pam_pkcs11.conf file to use the pwent mapper to link the Common Name > > > (CN) to > > > the Active Directory User account. I have created an User ID > > > Override for > > > the AD user and added CN name from the Certificate on the smart > > > card into > > > the GECOS field. I also have added all three certificates from the > > > CAC > > > smart card into the User ID Override. > > > > > > When I try and log in, I get this error message in /var/log/secure: > > > Apr 6 13:21:57 site-lws05 pam: gdm-smartcard: > > > pam_pkcs11(gdm-smartcard:auth): pam_get_pwd() failed: Conversation > > > error > > > Apr 6 13:22:17 site-lws05 pam: gdm-smartcard: > > > pam_pkcs11(gdm-smartcard:auth): find_user() failed: on cert #1 > > > Apr 6 13:22:17 site-lws05 pam: gdm-smartcard: > > > pam_pkcs11(gdm-smartcard:auth): find_user() failed: on cert #2 > > > Apr 6 13:22:17 site-lws05 pam: gdm-smartcard: > > > pam_pkcs11(gdm-smartcard:auth): no valid certificate which meets all > > > requirements found > > > > > > Here is the some details: > > > IDM Domain: idm.domain.local > > > Windows Domain: domain.local > > > RHEL 7.3 IDM Server: site-idm01.idm.domain.local > > > RHEL 6.9 IDM Client : site-lws05.idm.domain.local > > > > > > When I run the getent command on local accounts and IDM accounts I > > > get user > > > details, but when I run the command on AD accounts it doesn't find > > > them. > > > So, I'm wondering if that's why its not finding the CN name in the > > > GECOS > > > field. I'm trying to avoid using the cn_map on the clients, > > > because we > > > have a large amount of users and thats alot of extra work to manage > > > that > > > file. That's why I wanted to use the pwent mapper. > > > Here is my SSSD config file from the RHEL 6.9 client: > > > [domain/idm.domain.local] > > > override_shell = /bin/bash > > > debug_level = 9 > > > cache_credentials = True > > > krb5_store_password_if_offline = True > > > ipa_domain = idm.domain.local > > > id_provider = ipa > > > auth_provider = ipa > > > access_provider = ipa > > > ipa_hostname = site-lws05.idm.domain.local > > > chpass_provider = ipa > > > ipa_server = _srv_, site-idm01.idm.domain.local > > > ldap_tls_cacert = /etc/ipa/ca.crt > > > [sssd] > > > debug_level = 9 > > > services = nss, sudo, pam, ssh, ifp > > > domains = idm.domain.local > > > certificate_verification = no_ocsp > > > ldap_user_certificate = userCertificate;binary > > > [nss] > > > debug_level = 9 > > > homedir_substring = /home > > > [pam] > > > debug_level = 9 > > > pam_cert_auth = True > > > [sudo] > > > debug_level = 9 > > > [autofs] > > > debug_level = 9 > > > [ssh] > > > debug_level = 9 > > > [pac] > > > debug_level = 9 > > > [ifp] > > > debug_level = 9 > > > > > > Here is my nssswitch file from the RHEL 6.9 client: > > > # /etc/nsswitch.conf > > > # > > > # An example Name Service Switch config file. This file should be > > > # sorted with the most-used services at the beginning. > > > # > > > # The entry '[NOTFOUND=return]' means that the search for an > > > # entry should stop if the search in the previous entry turned > > > # up nothing. Note that if the search failed due to some other reason > > > # (like no NIS server responding) then the search continues with the > > > # next entry. > > > # > > > # Valid entries include: > > > # > > > # nisplus Use NIS+ (NIS version 3) > > > # nis Use NIS (NIS version 2), also called > > > YP > > > # dns Use DNS (Domain Name Service) > > > # files Use the local files > > > # db Use the local database (.db) files > > > # compat Use NIS on compat mode > > > # hesiod Use Hesiod for user lookups > > > # [NOTFOUND=return] Stop searching if not found so far > > > # > > > # To use db, put the "db" in front of "files" for entries you want > > > to be > > > # looked up first in the databases > > > # > > > # Example: > > > #passwd: db files nisplus nis > > > #shadow: db files nisplus nis > > > #group: db files nisplus nis > > > passwd: files sss > > > shadow: files sss > > > group: files sss > > > #hosts: db files nisplus nis dns > > > hosts: files dns > > > # Example - obey only what nisplus tells us... > > > #services: nisplus [NOTFOUND=return] files > > > #networks: nisplus [NOTFOUND=return] files > > > #protocols: nisplus [NOTFOUND=return] files > > > #rpc: nisplus [NOTFOUND=return] files > > > #ethers: nisplus [NOTFOUND=return] files > > > #netmasks: nisplus [NOTFOUND=return] files > > > bootparams: nisplus [NOTFOUND=return] files > > > ethers: files > > > netmasks: files > > > networks: files > > > protocols: files > > > rpc: files > > > services: files sss > > > netgroup: files sss > > > publickey: nisplus > > > automount: files sss > > > aliases: files nisplus > > > sudoers: files sss > > > > > > Here is my system-auth from the RHEL 6.9 client: > > > #%PAM-1.0 > > > # This file is auto-generated. > > > # User changes will be destroyed the next time authconfig is run. > > > auth required pam_env.so > > > auth [success=1 default=ignore] pam_succeed_if.so service > > > notin > > > login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet > > > use_uid > > > auth [success=done authinfo_unavail=ignore ignore=ignore > > > default=die] > > > pam_pkcs11.so card_only > > > auth sufficient pam_fprintd.so > > > auth sufficient pam_unix.so nullok try_first_pass > > > auth requisite pam_succeed_if.so uid >= 500 quiet > > > auth sufficient pam_sss.so use_first_pass > > > auth required pam_deny.so > > > account required pam_unix.so > > > account sufficient pam_localuser.so > > > account sufficient pam_succeed_if.so uid < 500 quiet > > > account [default=bad success=ok user_unknown=ignore] pam_sss.so > > > account required pam_permit.so > > > password requisite pam_cracklib.so try_first_pass retry=3 > > > type= > > > password sufficient pam_unix.so sha512 shadow nullok > > > try_first_pass > > > use_authtok > > > password sufficient pam_sss.so use_authtok > > > password required pam_deny.so > > > session optional pam_keyinit.so revoke > > > session required pam_limits.so > > > session optional pam_oddjob_mkhomedir.so umask=0077 > > > session [success=1 default=ignore] pam_succeed_if.so service in > > > crond > > > quiet use_uid > > > session required pam_unix.so > > > session optional pam_sss.so > > > > > > Here is my password-auth from the RHEL 6.9 client: > > > #%PAM-1.0 > > > # This file is auto-generated. > > > # User changes will be destroyed the next time authconfig is run. > > > auth required pam_env.so > > > auth sufficient pam_unix.so nullok try_first_pass > > > auth requisite pam_succeed_if.so uid >= 500 quiet > > > auth sufficient pam_sss.so use_first_pass > > > auth required pam_deny.so > > > account required pam_unix.so > > > account sufficient pam_localuser.so > > > account sufficient pam_succeed_if.so uid < 500 quiet > > > account [default=bad success=ok user_unknown=ignore] pam_sss.so > > > account required pam_permit.so > > > password requisite pam_cracklib.so try_first_pass retry=3 > > > type= > > > password sufficient pam_unix.so sha512 shadow nullok > > > try_first_pass > > > use_authtok > > > password sufficient pam_sss.so use_authtok > > > password required pam_deny.so > > > session optional pam_keyinit.so revoke > > > session required pam_limits.so > > > session optional pam_oddjob_mkhomedir.so umask=0077 > > > session [success=1 default=ignore] pam_succeed_if.so service in > > > crond > > > quiet use_uid > > > session required pam_unix.so > > > session optional pam_sss.so > > > > > > Here is my smartcard-auth from the RHEL 6.9 client: > > > #%PAM-1.0 > > > # This file is auto-generated. > > > # User changes will be destroyed the next time authconfig is run. > > > auth required pam_env.so > > > auth [success=done ignore=ignore default=die] pam_pkcs11.so > > > wait_for_card card_only > > > auth required pam_deny.so > > > account required pam_unix.so > > > account sufficient pam_localuser.so > > > account sufficient pam_succeed_if.so uid < 500 quiet > > > account [default=bad success=ok user_unknown=ignore] pam_sss.so > > > account required pam_permit.so > > > password required pam_pkcs11.so > > > session optional pam_keyinit.so revoke > > > session required pam_limits.so > > > session optional pam_oddjob_mkhomedir.so umask=0077 > > > session [success=1 default=ignore] pam_succeed_if.so service in > > > crond > > > quiet use_uid > > > session required pam_unix.so > > > session optional pam_sss.so > > > > > > -- > > > Manage your subscription for the Freeipa-users mailing list: > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > Go to http://freeipa.org for more info on the project > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project