[Freeipa-users] Re: Smartcard host login w/ Third-Party CA and PKINIT
On Tue, Jun 04, 2019 at 09:54:45AM -0400, Robbie Harwood via FreeIPA-users wrote: > Khurrum Maqb via FreeIPA-users > writes: > > > That worked! Thanks so much! I can login and successfully receive a > > kerberos ticket when using a smartcard to login. > > I also added the following to /etc/krb5.conf to match only a single cert > > for pkinit > > > > pkinit_cert_match = &&msScLogin,clientAuthdigitalSignature > > > > I am now down to 15 seconds for logins (which is better than the 30-50 > > seconds) which is still on the slow side but I think the reason might > > be the 4 valid and 5 expired certs on the card. I'm guessing it might > > be looping through all the certs which is adding all this extra > > time. Just off the top of your head, do you know if there is a krb and > > p11 config somewhere that would allow me to limit desktop/client > > device logins to using only slot 01 on the card and ignore the rest? > > krb5 lets you specify this on a global basis in the configuration file, > but it doesn't sound like what you want. (See the penultimate section > of "Specifying PKINIT identity information" in krb5.conf(5).) On the SSSD side, which is responsible for the login, you can use the p11_uri option with recent version. If there is an entry of p11_uri in man sssd.conf your platform should already support this and it can be used. HTH bye, Sumit > > Thanks, > --Robbie > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Smartcard host login w/ Third-Party CA and PKINIT
Khurrum Maqb via FreeIPA-users writes: > That worked! Thanks so much! I can login and successfully receive a kerberos > ticket when using a smartcard to login. > I also added the following to /etc/krb5.conf to match only a single cert for > pkinit > > pkinit_cert_match = &&msScLogin,clientAuthdigitalSignature > > I am now down to 15 seconds for logins (which is better than the 30-50 > seconds) which is still on the slow side but I think the reason might > be the 4 valid and 5 expired certs on the card. I'm guessing it might > be looping through all the certs which is adding all this extra > time. Just off the top of your head, do you know if there is a krb and > p11 config somewhere that would allow me to limit desktop/client > device logins to using only slot 01 on the card and ignore the rest? krb5 lets you specify this on a global basis in the configuration file, but it doesn't sound like what you want. (See the penultimate section of "Specifying PKINIT identity information" in krb5.conf(5).) Thanks, --Robbie signature.asc Description: PGP signature ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Smartcard host login w/ Third-Party CA and PKINIT
That worked! Thanks so much! I can login and successfully receive a kerberos ticket when using a smartcard to login. I also added the following to /etc/krb5.conf to match only a single cert for pkinit pkinit_cert_match = &&msScLogin,clientAuthdigitalSignature I am now down to 15 seconds for logins (which is better than the 30-50 seconds) which is still on the slow side but I think the reason might be the 4 valid and 5 expired certs on the card. I'm guessing it might be looping through all the certs which is adding all this extra time. Just off the top of your head, do you know if there is a krb and p11 config somewhere that would allow me to limit desktop/client device logins to using only slot 01 on the card and ignore the rest? Thank you so much again. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Smartcard host login w/ Third-Party CA and PKINIT
On 5/29/19 3:36 PM, Sumit Bose via FreeIPA-users wrote: On Wed, May 29, 2019 at 01:19:19PM -, Khurrum Maqb via FreeIPA-users wrote: They are indeed all self signed: #openssl x509 -in /var/kerberos/krb5kdc/kdc.crt -issuer -subject -noout issuer= /O=DOMAIN.COM/CN=server1.dom.ain subject= /O=DOMAIN.COM/CN=server1.dom.ain #openssl x509 -in /var/kerberos/krb5kdc/kdc.crt -issuer -subject -noout issuer= /O=DOMAIN.COM/CN=server2.dom.ain subject= /O=DOMAIN.COM/CN=server2.dom.ain Florence, do you know from the top of your head the steps to recreate proper KDC certificates signed by the IPA CA? Hi, running "ipa-pkinit-manage enable" should re-create the KDC cert. Note that there was an issue with this command (see #7200 ipa-pkinit-manage reports a switch from local pkinit to full pkinit configuration was successful although it was not [1]). IIRC the workaround is to delete the cert before calling ipa-pkinit-manage enable. HTH, flo [1] https://pagure.io/freeipa/issue/7200 bye, Sumit and so on.. So if I understand correctly, these all should have been signed by the IPA CA? And re: OCSP - I'll go ahead and check how I can either change the location, or setup a CNAME to point the existing address in the cert to a working ocsp responder. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Smartcard host login w/ Third-Party CA and PKINIT
On Wed, May 29, 2019 at 01:19:19PM -, Khurrum Maqb via FreeIPA-users wrote: > They are indeed all self signed: > > #openssl x509 -in /var/kerberos/krb5kdc/kdc.crt -issuer -subject -noout > issuer= /O=DOMAIN.COM/CN=server1.dom.ain > subject= /O=DOMAIN.COM/CN=server1.dom.ain > > #openssl x509 -in /var/kerberos/krb5kdc/kdc.crt -issuer -subject -noout > issuer= /O=DOMAIN.COM/CN=server2.dom.ain > subject= /O=DOMAIN.COM/CN=server2.dom.ain Florence, do you know from the top of your head the steps to recreate proper KDC certificates signed by the IPA CA? bye, Sumit > > and so on.. > > So if I understand correctly, these all should have been signed by the IPA > CA? > > And re: OCSP - I'll go ahead and check how I can either change the location, > or setup a CNAME to point the existing address in the cert to a working ocsp > responder. > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Smartcard host login w/ Third-Party CA and PKINIT
They are indeed all self signed: #openssl x509 -in /var/kerberos/krb5kdc/kdc.crt -issuer -subject -noout issuer= /O=DOMAIN.COM/CN=server1.dom.ain subject= /O=DOMAIN.COM/CN=server1.dom.ain #openssl x509 -in /var/kerberos/krb5kdc/kdc.crt -issuer -subject -noout issuer= /O=DOMAIN.COM/CN=server2.dom.ain subject= /O=DOMAIN.COM/CN=server2.dom.ain and so on.. So if I understand correctly, these all should have been signed by the IPA CA? And re: OCSP - I'll go ahead and check how I can either change the location, or setup a CNAME to point the existing address in the cert to a working ocsp responder. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Smartcard host login w/ Third-Party CA and PKINIT
On Tue, May 28, 2019 at 08:27:41PM -, Khurrum Maqb via FreeIPA-users wrote: > Oh I see. I misunderstood the result. > > ]# ipa pkinit-status > - > 4 servers matched > - > Server name: server1.dom.ain > PKINIT status: enabled > > Server name: server2.dom.ain > PKINIT status: enabled > > Server name: server3.dom.ain > PKINIT status: enabled > > Server name: server4.dom.ain > PKINIT status: enabled > > Number of entries returned 4 > > > And on all four: > > # ipa-pkinit-manage status > PKINIT is enabled > The ipa-pkinit-manage command was successful Can you check with openssl x509 -in /var/kerberos/krb5kdc/kdc.crt -issuer -subject -noout on the servers if the certificates are self-signed (subject and issuer are the same) or not? bye, Sumit > > And a new thing today -- none of my clients are able to enroll or unenroll > to/from IPA showing the same error. I think it happened after running the > script generated by ipa-advise config-server-for-smart-card-auth > > Authentication > Certificate Authorities is showing: > > cannot connect to 'https://server[X].dom.ain:443/ca/rest/account/login': > [SSL: SSL_HANDSHAKE_FAILURE] ssl handshake failure (_ssl.c:1822) > > 907 RPC failed at server. cannot connect. Certificate issuance failed > CA_UNREACHABLE. SSL: SSL_HANDSHAKE_FAILURE. > > I believe the only change was: > > certutil -M -n 'Server-Cert' -d "/etc/httpd/alias" -f > /etc/httpd/alias/pwdfile.txt -t "Pu,u,u"? > > The output is: > > # certutil -d "/etc/httpd/alias" -L > > Certificate Nickname Trust Attributes > > SSL,S/MIME,JAR/XPI > > DSTRootCAX3 C,, > ABC Operational CA 0CT,C,C > Server-Cert Pu,u,u > DOMAIN IPA CACT,C,C > letsencryptx3C,, > ABC2 CA CT,C,C > ABC3 CA CT,C,C > > This was working until very recently. I wonder if this is related to whatever > is causing the PKINIT failure. > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Smartcard host login w/ Third-Party CA and PKINIT
On Tue, May 28, 2019 at 08:43:33PM -, Khurrum Maqb via FreeIPA-users wrote: > I apologize for the successive emails. > > FYI, the OCSP + the Server Cert error goes away and the CA starts responding > after I turn NSSOCSP off in /etc/httpd/conf.d/nss.conf ah, iirc you mentioned earlier that the OCSP URI in the certificates point to a non-existing responder. You should fix this by making sure that requests to this address are somehow handled by the current OCSP responder. But I think this should not break PKINIT since the Kerberos libraries currently do not use OCSP. bye, Sumit > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Smartcard host login w/ Third-Party CA and PKINIT
I apologize for the successive emails. FYI, the OCSP + the Server Cert error goes away and the CA starts responding after I turn NSSOCSP off in /etc/httpd/conf.d/nss.conf ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Smartcard host login w/ Third-Party CA and PKINIT
Nothing is expired # getcert list | grep expires expires: 2020-08-04 18:40:09 UTC expires: 2020-08-04 18:40:14 UTC expires: 2020-07-06 04:26:59 UTC expires: 2020-07-06 04:21:02 UTC expires: 2020-07-06 04:22:18 UTC expires: 2020-07-06 04:25:55 UTC expires: 2020-08-10 21:29:31 UTC expires: 2020-07-24 19:02:25 UTC expires: 2019-08-04 19:04:27 UTC HTTP logs are just saying [Tue May 28 16:36:33.738622 2019] [:error] [pid 87622] Bad remote server certificate: -8071 [Tue May 28 16:36:33.738643 2019] [:error] [pid 87622] SSL Library Error: -8071 The OCSP server experienced an internal error [Tue May 28 16:36:33.738708 2019] [:error] [pid 87622] Re-negotiation handshake failed: Not accepted by client!? [Tue May 28 16:36:33.738762 2019] [:error] [pid 87622] SSL Library Error: -12116 Unknown ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Smartcard host login w/ Third-Party CA and PKINIT
Oh I see. I misunderstood the result. ]# ipa pkinit-status - 4 servers matched - Server name: server1.dom.ain PKINIT status: enabled Server name: server2.dom.ain PKINIT status: enabled Server name: server3.dom.ain PKINIT status: enabled Server name: server4.dom.ain PKINIT status: enabled Number of entries returned 4 And on all four: # ipa-pkinit-manage status PKINIT is enabled The ipa-pkinit-manage command was successful And a new thing today -- none of my clients are able to enroll or unenroll to/from IPA showing the same error. I think it happened after running the script generated by ipa-advise config-server-for-smart-card-auth Authentication > Certificate Authorities is showing: cannot connect to 'https://server[X].dom.ain:443/ca/rest/account/login': [SSL: SSL_HANDSHAKE_FAILURE] ssl handshake failure (_ssl.c:1822) 907 RPC failed at server. cannot connect. Certificate issuance failed CA_UNREACHABLE. SSL: SSL_HANDSHAKE_FAILURE. I believe the only change was: certutil -M -n 'Server-Cert' -d "/etc/httpd/alias" -f /etc/httpd/alias/pwdfile.txt -t "Pu,u,u"? The output is: # certutil -d "/etc/httpd/alias" -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI DSTRootCAX3 C,, ABC Operational CA 0CT,C,C Server-Cert Pu,u,u DOMAIN IPA CACT,C,C letsencryptx3C,, ABC2 CA CT,C,C ABC3 CA CT,C,C This was working until very recently. I wonder if this is related to whatever is causing the PKINIT failure. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Smartcard host login w/ Third-Party CA and PKINIT
On Tue, May 28, 2019 at 04:37:25PM -, Khurrum Maqb via FreeIPA-users wrote: > Thanks! > > So on the IPA server that is listed in the client's /etc/ipa/default file I > ran: > > # openssl verify -verbose -CAfile /var/lib/ipa-client/pki/kdc-ca-bundle.pem > /var/kerberos/krb5kdc/kdc.crt > /var/kerberos/krb5kdc/kdc.crt: O = DOMAIN.COM, CN = ipa-server.do.ma.in > error 18 at 0 depth lookup:self signed certificate > OK This should not be self-signed but signed by the IPA CA to make Smartcard authentication and PKINIT work. What is the output of ipa pkinit-status and ipa-pkinit-manage status on the servers? bye, Sumit > > Is that the command that you had in mind? It looks like it's OK. > > Also as Florence Blanc-Renaud suggested, I ran the `ipa-advise > config-server-for-smart-card-auth > config.sh` command and ran it on all the > IPA servers with the third-party external CA certs, and they ran > successfully. Thanks Florence! I did not see any change after that. The only > thing I hadn't done was change the Server-Cert permissions. The kinit command > still fails with the DH verification error on the client even though the > ticket is issued. > > I also added a CNAME for the OCSP server listed in the cert and pointed it to > a real working IPA server instead of a retired one. > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Smartcard host login w/ Third-Party CA and PKINIT
Thanks! So on the IPA server that is listed in the client's /etc/ipa/default file I ran: # openssl verify -verbose -CAfile /var/lib/ipa-client/pki/kdc-ca-bundle.pem /var/kerberos/krb5kdc/kdc.crt /var/kerberos/krb5kdc/kdc.crt: O = DOMAIN.COM, CN = ipa-server.do.ma.in error 18 at 0 depth lookup:self signed certificate OK Is that the command that you had in mind? It looks like it's OK. Also as Florence Blanc-Renaud suggested, I ran the `ipa-advise config-server-for-smart-card-auth > config.sh` command and ran it on all the IPA servers with the third-party external CA certs, and they ran successfully. Thanks Florence! I did not see any change after that. The only thing I hadn't done was change the Server-Cert permissions. The kinit command still fails with the DH verification error on the client even though the ticket is issued. I also added a CNAME for the OCSP server listed in the cert and pointed it to a real working IPA server instead of a retired one. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Smartcard host login w/ Third-Party CA and PKINIT
On 5/24/19 6:12 PM, Khurrum Maqb via FreeIPA-users wrote: We're running IPA 4.6.4-10.el7 with a CA over 4 replicas on Centos7 and would like to properly configure smartcard authentication. The smartcards that we're using have been signed by an External CA controlled by a different entity. So to get that working, I've added the required CA certs using ipa-cacert-manage -n "SmartCard CA #1" -t CT,C,C install .pem and then ran ipa-certupdate on all replicas, and restarted httpd. I associated the card authentication cert from the user's smartcard to the Identity using the GUI. I am able to search using the cert, and it retrieves the user correctly. I also used ipa-advise config-client-for-smart-card-auth > client_smart_card_script.sh to create the script, ran it on a client host with the correct CA files. On the client side I had to edit sssd.conf and add a Hi, did you also run ipa-advise config-server-for-smart-card-auth on the IPA servers? This will create a script that must be executed on all IPA masters. flo [pam] p11_child_timeout = 15 and it worked and the user was able to log in to the desktop. However, it was taking 40 seconds for the login which sounded like something was timing out. I checked the krb log and found (Tue May 21 10:55:44 2019) [sssd[be[dom.ain.com]]] [krb5_child_timeout] (0x0040): Timeout for child [9822] reached. In case KDC is distant or network is slow you may consider increasing value of krb5_auth_timeout. (Tue May 21 10:55:44 2019) [sssd[be[dom.ain.com]]] [krb5_auth_done] (0x0020): child timed out! (Tue May 21 10:55:44 2019) [sssd[be[dom.ain.com]]] [child_sig_handler] (0x0020): child [9822] was terminated by signal [9]. And it reported that the backend was offline So I added [domain/dom.ain.com] krb5_auth_timeout = 15 and which point, I noticed I didn't have pkinit running on the servers. So I ran ipa-pkinit-manage enable on all the replicas with a CA and soon ipa pkiinit-status showed that PKINIT status: enabled. and Backend stopped showing as offline. However, that does not solve the issue, and if I have krb5_auth_timeout = 15 in sssd, the login stops working and instead I get a pre-auth issue: Additional pre-authentication requird / Matching credential not found (Fri May 24 11:08:03 2019) [[sssd[krb5_child[17565 [sss_child_krb5_trace_cb] (0x4000): [17565] 1558710483.204427: Getting initial credentials for user@REALM (Fri May 24 11:08:03 2019) [[sssd[krb5_child[17565 [sss_child_krb5_trace_cb] (0x4000): [17565] 1558710483.204428: FAST armor ccache: MEMORY:/var/lib/sss/db/fast_ccache_REALM (Fri May 24 11:08:03 2019) [[sssd[krb5_child[17565 [sss_child_krb5_trace_cb] (0x4000): [17565] 1558710483.204429: Retrieving host/gs6069-ld-i014.dom.ain.com@REALM -> krb5_ccache_conf_data/fast_avail/krbtgt\/REALM\@REALM .COM@X-CACHECONF: from MEMORY:/var/lib/sss/db/fast_ccache_REALM with result: -1765328243/Matching credential not found (Fri May 24 11:08:03 2019) [[sssd[krb5_child[17565 [sss_child_krb5_trace_cb] (0x4000): [17565] 1558710483.204431: Sending unauthenticated request (Fri May 24 11:08:03 2019) [[sssd[krb5_child[17565 [sss_child_krb5_trace_cb] (0x4000): [17565] 1558710483.204432: Sending request (172 bytes) to REALM (Fri May 24 11:08:03 2019) [[sssd[krb5_child[17565 [sss_child_krb5_trace_cb] (0x4000): [17565] 1558710483.204433: Initiating TCP connection to stream 192.168.162.11:88 (Fri May 24 11:08:03 2019) [[sssd[krb5_child[17565 [sss_child_krb5_trace_cb] (0x4000): [17565] 1558710483.204434: Sending TCP request to stream 192.168.162.11:88 (Fri May 24 11:08:03 2019) [[sssd[krb5_child[17565 [sss_child_krb5_trace_cb] (0x4000): [17565] 1558710483.204435: Received answer (299 bytes) from stream 192.168.162.11:88 (Fri May 24 11:08:03 2019) [[sssd[krb5_child[17565 [sss_child_krb5_trace_cb] (0x4000): [17565] 1558710483.204436: Terminating TCP connection to stream 192.168.162.11:88 (Fri May 24 11:08:03 2019) [[sssd[krb5_child[17565 [sss_child_krb5_trace_cb] (0x4000): [17565] 1558710483.204437: Response was from master KDC But if I REMOVE krb5_auth_timeout = 15 then it probably times out, and it logs the user in with the smart card + pin but klist shows NO kerberos tickets. So my question is, do I have to add the external CA certificates to the KDC separately? They aren't really for our REALM so I don't know how that would help. Running kinit -X X509_user_identity='PKCS11:opensc-pkcs11.so' username prompts the user for the PIN, but after the PIN is entered, it immiediately asks for the password. So it looks like the part that is failing is the KRB authentication. Any suggestions would be very appreciated. Ideally I'd like for the smartcard auth to let the users in in a timely manner (ie ~5-15 seconds) and also give the users a kerberos ticket. Thanks! ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe
[Freeipa-users] Re: Smartcard host login w/ Third-Party CA and PKINIT
On Fri, May 24, 2019 at 10:30:15PM -, Khurrum Maqb via FreeIPA-users wrote:
> Strangely, it's correct. I also just did another ipa-client-install
> --request-cert and it joined correctly and placed the IPA cert in that
> location. Here is the krb5.conf file
>
> [root@gs6069-ld-i014 ~]# cat /etc/krb5.conf
> #File modified by ipa-client-install
>
> includedir /etc/krb5.conf.d/
> includedir /var/lib/sss/pubconf/krb5.include.d/
>
> [libdefaults]
> default_realm = DOMAIN
> dns_lookup_realm = true
> dns_lookup_kdc = true
> rdns = false
> dns_canonicalize_hostname = false
> ticket_lifetime = 24h
> forwardable = true
> udp_preference_limit = 0
> default_ccache_name = KEYRING:persistent:%{uid}
>
>
> [realms]
> DOMAIN = {
> pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
> pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
>
> }
>
> [domain_realm]
> the.dom.ain = DOMAIN
> the.dom.ain = DOMAIN
> host.the.dom.ain = DOMAIN
>
> It appears to be the same file as:
>
> # ls -la /etc/ipa/ca.crt
> -rw-r--r--. 1 root root 11062 May 24 18:04 /etc/ipa/ca.crt
> # ls -la /var/lib/ipa-client/pki/kdc-ca-bundle.pem
> -rw-r--r--. 1 root root 11062 May 24 18:04
> /var/lib/ipa-client/pki/kdc-ca-bundle.pem
>
> And openssl x509 -in /var/lib/ipa-client/pki/kdc-ca-bundle.pem -text outputs
> something that looks correct.
>
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number: 1 (0x1)
> Signature Algorithm: sha256WithRSAEncryption
> Issuer: O=DOMAIN, CN=Certificate Authority
> Validity
> Not Before: Aug 10 21:29:31 2012 GMT
> Not After : Aug 10 21:29:31 2020 GMT
> Subject: O=DOMAIN, CN=Certificate Authority
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> Public-Key: (2048 bit)
> Modulus:
> 00:d0:bb:0e:b3:5d:cb:1a:0c:[..snip..]
> Exponent: 65537 (0x10001)
> X509v3 extensions:
> X509v3 Authority Key Identifier:
> keyid:A8:..[[snip]]41
> X509v3 Basic Constraints: critical
> CA:TRUE
> X509v3 Key Usage: critical
> Digital Signature, Non Repudiation, Certificate Sign, CRL Sign
> X509v3 Subject Key Identifier:
> A8[[..snip]]
> Authority Information Access:
> OCSP - URI:http://another.dom.ain:80/ca/ocsp
> Signature Algorithm: sha256WithRSAEncryption
>
> The OCSP field looks like it's pointing to an outdated/retired replica. But
> other than that a regular kinit username gets issued a correct kerberos
> ticket just fine. It's just the smartcard cert (which is signed by an
> external CA which is added to the cert list on the server) that does not
> verify the DH. But I checked the server and it's successfully issuing a
> ticket. But the client refuses to accept it.
The KDC certificate can be found in /var/kerberos/krb5kdc/kdc.crt on the
IPA servers, can you try to validate those manually with
/var/lib/ipa-client/pki/kdc-ca-bundle.pem to see if all needed CA
certificates are available?
bye,
Sumit
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Smartcard host login w/ Third-Party CA and PKINIT
Strangely, it's correct. I also just did another ipa-client-install
--request-cert and it joined correctly and placed the IPA cert in that
location. Here is the krb5.conf file
[root@gs6069-ld-i014 ~]# cat /etc/krb5.conf
#File modified by ipa-client-install
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = DOMAIN
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
dns_canonicalize_hostname = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
DOMAIN = {
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}
[domain_realm]
the.dom.ain = DOMAIN
the.dom.ain = DOMAIN
host.the.dom.ain = DOMAIN
It appears to be the same file as:
# ls -la /etc/ipa/ca.crt
-rw-r--r--. 1 root root 11062 May 24 18:04 /etc/ipa/ca.crt
# ls -la /var/lib/ipa-client/pki/kdc-ca-bundle.pem
-rw-r--r--. 1 root root 11062 May 24 18:04
/var/lib/ipa-client/pki/kdc-ca-bundle.pem
And openssl x509 -in /var/lib/ipa-client/pki/kdc-ca-bundle.pem -text outputs
something that looks correct.
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=DOMAIN, CN=Certificate Authority
Validity
Not Before: Aug 10 21:29:31 2012 GMT
Not After : Aug 10 21:29:31 2020 GMT
Subject: O=DOMAIN, CN=Certificate Authority
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d0:bb:0e:b3:5d:cb:1a:0c:[..snip..]
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:A8:..[[snip]]41
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Certificate Sign, CRL Sign
X509v3 Subject Key Identifier:
A8[[..snip]]
Authority Information Access:
OCSP - URI:http://another.dom.ain:80/ca/ocsp
Signature Algorithm: sha256WithRSAEncryption
The OCSP field looks like it's pointing to an outdated/retired replica. But
other than that a regular kinit username gets issued a correct kerberos ticket
just fine. It's just the smartcard cert (which is signed by an external CA
which is added to the cert list on the server) that does not verify the DH. But
I checked the server and it's successfully issuing a ticket. But the client
refuses to accept it.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Smartcard host login w/ Third-Party CA and PKINIT
On Fri, May 24, 2019 at 07:30:53PM -, Khurrum Maqb via FreeIPA-users wrote: > And if I specify the card LABEL: > > > > > # KRB5_TRACE=/dev/stdout kinit -X > X509_user_identity='PKCS11:opensc-pkcs11.so:certlabel=Certificate for PIV > Authentication' username > [22278] 1558726069.978962: Getting initial credentials for username@DOMAIN > [22278] 1558726069.978964: Sending unauthenticated request > [22278] 1558726069.978965: Sending request (172 bytes) to DOMAIN > [22278] 1558726069.978966: Initiating TCP connection to stream > 192.168.162.10:88 > [22278] 1558726069.978967: Sending TCP request to stream 192.168.162.10:88 > [22278] 1558726069.978968: Received answer (298 bytes) from stream > 192.168.162.10:88 > [22278] 1558726069.978969: Terminating TCP connection to stream > 192.168.162.10:88 > [22278] 1558726069.978970: Response was from master KDC > [22278] 1558726069.978971: Received error from KDC: -1765328359/Additional > pre-authentication required > [22278] 1558726069.978974: Preauthenticating using KDC method data > [22278] 1558726069.978975: Processing preauth types: PA-PK-AS-REQ (16), > PA-PK-AS-REP_OLD (15), PA-PK-AS-REQ_OLD (14), PA-FX-FAST (136), > PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-ENC-TIMESTAMP (2), PA-FX-COOKIE > (133) > [22278] 1558726069.978976: Selected etype info: etype aes256-cts, salt > ",NA[[snip]]&?", params "" > [22278] 1558726069.978977: Received cookie: MIT > [22278] 1558726076.4420: Preauth module pkinit (147) (info) returned: > 0/Success > PIV_II PIN: > [22278] 1558726085.757813: PKINIT loading CA certs and CRLs from FILE > [22278] 1558726085.757814: PKINIT loading CA certs and CRLs from FILE > [22278] 1558726085.757815: PKINIT client computed kdc-req-body checksum > 9/09AD53A5919AEB906D > [22278] 1558726085.757817: PKINIT client making DH request > [22278] 1558726086.960954: Preauth module pkinit (16) (real) returned: > 0/Success > [22278] 1558726086.960955: Produced preauth for next request: PA-FX-COOKIE > (133), PA-PK-AS-REQ (16) > [22278] 1558726086.960956: Sending request (6924 bytes) to DOMAIN > [22278] 1558726086.960957: Initiating TCP connection to stream > 192.168.162.10:88 > [22278] 1558726086.960958: Sending TCP request to stream 192.168.162.10:88 > [22278] 1558726087.25096: Received answer (1641 bytes) from stream > 192.168.162.10:88 > [22278] 1558726087.25097: Terminating TCP connection to stream > 192.168.162.10:88 > [22278] 1558726087.25098: Response was from master KDC > [22278] 1558726087.25099: Processing preauth types: PA-PK-AS-REP (17), > PA-ETYPE-INFO2 (19) > [22278] 1558726087.25100: Selected etype info: etype aes256-cts, salt > ",NA#[[snip]]RE&?", params "" > [22278] 1558726087.25101: PKINIT client could not verify DH reply This sounds like the client cannot verify the KDC certificate, i.e. the CA certificates of the issuer are not available to libkrb5. Typically the IPA KDC certificates are signed by the IPA CA. Can you check in your krb5.conf if in the pkinit_anchors options there is a file listed which contains the IPA CA certificate (or the certificate of the CA which signed the KDC certificates). bye, Sumit > [22278] 1558726087.25102: Preauth module pkinit (17) (real) returned: > -1765328360/Preauthentication failed > [22278] 1558726087.25103: Produced preauth for next request: (empty) > [22278] 1558726087.25104: Getting AS key, salt ",NA[[snip]]E&?", params "" > Password for username@DOMAIN: > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Smartcard host login w/ Third-Party CA and PKINIT
And if I specify the card LABEL: # KRB5_TRACE=/dev/stdout kinit -X X509_user_identity='PKCS11:opensc-pkcs11.so:certlabel=Certificate for PIV Authentication' username [22278] 1558726069.978962: Getting initial credentials for username@DOMAIN [22278] 1558726069.978964: Sending unauthenticated request [22278] 1558726069.978965: Sending request (172 bytes) to DOMAIN [22278] 1558726069.978966: Initiating TCP connection to stream 192.168.162.10:88 [22278] 1558726069.978967: Sending TCP request to stream 192.168.162.10:88 [22278] 1558726069.978968: Received answer (298 bytes) from stream 192.168.162.10:88 [22278] 1558726069.978969: Terminating TCP connection to stream 192.168.162.10:88 [22278] 1558726069.978970: Response was from master KDC [22278] 1558726069.978971: Received error from KDC: -1765328359/Additional pre-authentication required [22278] 1558726069.978974: Preauthenticating using KDC method data [22278] 1558726069.978975: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-PK-AS-REQ_OLD (14), PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-ENC-TIMESTAMP (2), PA-FX-COOKIE (133) [22278] 1558726069.978976: Selected etype info: etype aes256-cts, salt ",NA[[snip]]&?", params "" [22278] 1558726069.978977: Received cookie: MIT [22278] 1558726076.4420: Preauth module pkinit (147) (info) returned: 0/Success PIV_II PIN: [22278] 1558726085.757813: PKINIT loading CA certs and CRLs from FILE [22278] 1558726085.757814: PKINIT loading CA certs and CRLs from FILE [22278] 1558726085.757815: PKINIT client computed kdc-req-body checksum 9/09AD53A5919AEB906D [22278] 1558726085.757817: PKINIT client making DH request [22278] 1558726086.960954: Preauth module pkinit (16) (real) returned: 0/Success [22278] 1558726086.960955: Produced preauth for next request: PA-FX-COOKIE (133), PA-PK-AS-REQ (16) [22278] 1558726086.960956: Sending request (6924 bytes) to DOMAIN [22278] 1558726086.960957: Initiating TCP connection to stream 192.168.162.10:88 [22278] 1558726086.960958: Sending TCP request to stream 192.168.162.10:88 [22278] 1558726087.25096: Received answer (1641 bytes) from stream 192.168.162.10:88 [22278] 1558726087.25097: Terminating TCP connection to stream 192.168.162.10:88 [22278] 1558726087.25098: Response was from master KDC [22278] 1558726087.25099: Processing preauth types: PA-PK-AS-REP (17), PA-ETYPE-INFO2 (19) [22278] 1558726087.25100: Selected etype info: etype aes256-cts, salt ",NA#[[snip]]RE&?", params "" [22278] 1558726087.25101: PKINIT client could not verify DH reply [22278] 1558726087.25102: Preauth module pkinit (17) (real) returned: -1765328360/Preauthentication failed [22278] 1558726087.25103: Produced preauth for next request: (empty) [22278] 1558726087.25104: Getting AS key, salt ",NA[[snip]]E&?", params "" Password for username@DOMAIN: ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Smartcard host login w/ Third-Party CA and PKINIT
Thank you very much for the response, Sumit.
> Can you send the full output of
>
> KRB5_TRACE=/dev/stdout kinit -X
> X509_user_identity='PKCS11:opensc-pkcs11.so'
> username
Here it is. There are indeed 9 certs on the smartcard and the card auth cert is
at location 01
# KRB5_TRACE=/dev/stdout kinit -X X509_user_identity='PKCS11:opensc-pkcs11.so'
username
[7257] 1558722893.754383: Getting initial credentials for usern...@domain.com
[7257] 1558722893.754385: Sending unauthenticated request
[7257] 1558722893.754386: Sending request (172 bytes) to DOMAIN.COM
[7257] 1558722893.754387: Initiating TCP connection to stream 192.168.162.10:88
[7257] 1558722893.754388: Sending TCP request to stream 192.168.162.10:88
[7257] 1558722893.754389: Received answer (299 bytes) from stream
192.168.162.10:88
[7257] 1558722893.754390: Terminating TCP connection to stream 192.168.162.10:88
[7257] 1558722893.754391: Response was from master KDC
[7257] 1558722893.754392: Received error from KDC: -1765328359/Additional
pre-authentication required
[7257] 1558722893.754395: Preauthenticating using KDC method data
[7257] 1558722893.754396: Processing preauth types: PA-PK-AS-REQ (16),
PA-PK-AS-REP_OLD (15), PA-PK-AS-REQ_OLD (14), PA-FX-FAST (136), PA-ETYPE-INFO2
(19), PA-PKINIT-KX (147), PA-ENC-TIMESTAMP (2), PA-FX-COOKIE (133)
[7257] 1558722893.754397: Selected etype info: etype aes256-cts, salt
",NA#[[..snip]]E&?", params ""
[7257] 1558722893.754398: Received cookie: MIT
[7257] 1558722901.787875: Preauth module pkinit (147) (info) returned: 0/Success
PIV_II PIN:
[7257] 1558722912.887018: PKINIT error: There are 9 certs, but there must be
exactly one.
[7257] 1558722912.887019: PKINIT client has no configured identity; giving up
[7257] 1558722912.887020: Preauth module pkinit (16) (real) returned:
22/Invalid argument
[7257] 1558722912.887021: PKINIT client has no configured identity; giving up
[7257] 1558722912.887022: Preauth module pkinit (14) (real) returned:
22/Invalid argument
Password for usern...@domain.com:
[7257] 1558722919.439664: Preauth module encrypted_timestamp (2) (real)
returned: -1765328252/Password read interrupted
kinit: Pre-authentication failed: Invalid argument while getting initial
credentials
> user for the certificate. Can you send the KDC logs from
> /var/log/krb5kdc.log which covers the time of the login attempts?
Without krb5_auth_timeout = 15
May 24 14:41:02 replica01.dom.ain.com krb5kdc[37038](info): AS_REQ (8 etypes
{18 17 20 19 16 23 25 26}) 192.168.160.14: NEEDED_PREAUTH: username@DOMAIN for
krbtgt/DOMAIN@DOMAIN, Additional pre-authentication required
May 24 14:41:02 replica01.dom.ain.com krb5kdc[37038](info): closing down fd 11
May 24 14:41:02 replica01.dom.ain.com krb5kdc[37039](info): AS_REQ (8 etypes
{18 17 20 19 16 23 25 26}) 192.168.160.14: NEEDED_PREAUTH: username@DOMAIN for
krbtgt/DOMAIN@DOMAIN, Additional pre-authentication required
May 24 14:41:02 replica01.dom.ain.com krb5kdc[37039](info): closing down fd 11
May 24 14:41:21 replica01.dom.ain.com krb5kdc[37042](info): AS_REQ (8 etypes
{18 17 20 19 16 23 25 26}) 192.168.160.14: NEEDED_PREAUTH: username@DOMAIN for
krbtgt/DOMAIN@DOMAIN, Additional pre-authentication required
May 24 14:41:21 replica01.dom.ain.com krb5kdc[37042](info): closing down fd 11
May 24 14:41:21 replica01.dom.ain.com krb5kdc[37039](info): AS_REQ (8 etypes
{18 17 20 19 16 23 25 26}) 192.168.160.14: NEEDED_PREAUTH: username@DOMAIN for
krbtgt/DOMAIN@DOMAIN, Additional pre-authentication required
May 24 14:41:21 replica01.dom.ain.com krb5kdc[37039](info): closing down fd 11
WITH krb5_auth_timeout = 15
May 24 14:44:47 replica01.dom.ain.com krb5kdc[37040](info): AS_REQ (8 etypes
{18 17 20 19 16 23 25 26}) 192.168.160.14: NEEDED_PREAUTH: username@DOMAIN for
krbtgt/DOMAIN@DOMAIN, Additional pre-authentication required
May 24 14:44:47 replica01.dom.ain.com krb5kdc[37040](info): closing down fd 11
May 24 14:44:47 replica01.dom.ain.com krb5kdc[37038](info): AS_REQ (8 etypes
{18 17 20 19 16 23 25 26}) 192.168.160.14: NEEDED_PREAUTH: username@DOMAIN for
krbtgt/DOMAIN@DOMAIN, Additional pre-authentication required
May 24 14:44:47 replica01.dom.ain.com krb5kdc[37038](info): closing down fd 11
May 24 14:45:01 replica01.dom.ain.com krb5kdc[37037](info): AS_REQ (8 etypes
{18 17 20 19 16 23 25 26}) 192.168.160.14: NEEDED_PREAUTH: username@DOMAIN for
krbtgt/DOMAIN@DOMAIN, Additional pre-authentication required
May 24 14:45:01 replica01.dom.ain.com krb5kdc[37037](info): closing down fd 11
May 24 14:45:01 replica01.dom.ain.com krb5kdc[37040](info): AS_REQ (8 etypes
{18 17 20 19 16 23 25 26}) 192.168.160.14: NEEDED_PREAUTH: username@DOMAIN for
krbtgt/DOMAIN@DOMAIN, Additional pre-authentication required
May 24 14:45:01 replica01.dom.ain.com krb5kdc[37040](info): closing down fd 11
May 24 14:45:13 replica01.dom.ain.com krb5kdc[37040](info): Initializing IPA
certauth plugin.
May 24 14:45:13 replica01.dom.ain.com krb5kdc[37040](i
[Freeipa-users] Re: Smartcard host login w/ Third-Party CA and PKINIT
On Fri, May 24, 2019 at 04:12:20PM -, Khurrum Maqb via FreeIPA-users wrote: > We're running IPA 4.6.4-10.el7 with a CA over 4 replicas on Centos7 and would > like to properly configure smartcard authentication. The smartcards that > we're using have been signed by an External CA controlled by a different > entity. So to get that working, I've added the required CA certs using > > ipa-cacert-manage -n "SmartCard CA #1" -t CT,C,C install .pem > > and then ran ipa-certupdate on all replicas, and restarted httpd. I > associated the card authentication cert from the user's smartcard to the > Identity using the GUI. I am able to search using the cert, and it retrieves > the user correctly. > > I also used ipa-advise config-client-for-smart-card-auth > > client_smart_card_script.sh to create the script, ran it on a client host > with the correct CA files. On the client side I had to edit sssd.conf and add > a > > [pam] > p11_child_timeout = 15 > > and it worked and the user was able to log in to the desktop. However, it was > taking 40 seconds for the login which sounded like something was timing out. > I checked the krb log and found > > (Tue May 21 10:55:44 2019) [sssd[be[dom.ain.com]]] [krb5_child_timeout] > (0x0040): Timeout for child [9822] reached. In case KDC is distant or network > is slow you may consider increasing value of krb5_auth_timeout. > (Tue May 21 10:55:44 2019) [sssd[be[dom.ain.com]]] [krb5_auth_done] (0x0020): > child timed out! > (Tue May 21 10:55:44 2019) [sssd[be[dom.ain.com]]] [child_sig_handler] > (0x0020): child [9822] was terminated by signal [9]. > > And it reported that the backend was offline > > So I added > > [domain/dom.ain.com] > krb5_auth_timeout = 15 > > and which point, I noticed I didn't have pkinit running on the servers. So I > ran ipa-pkinit-manage enable on all the replicas with a CA and soon > ipa pkiinit-status showed that PKINIT status: enabled. and Backend stopped > showing as offline. > > However, that does not solve the issue, and if I have krb5_auth_timeout = 15 > in sssd, the login stops working and instead I get a pre-auth issue: > Additional pre-authentication requird / Matching credential not found Hi, 'Additional pre-authentication required' is expected. 'Matching credential not found' sounds a bit like the KDC cannot find a matching user for the certificate. Can you send the KDC logs from /var/log/krb5kdc.log which covers the time of the login attempts? > > > (Fri May 24 11:08:03 2019) [[sssd[krb5_child[17565 > [sss_child_krb5_trace_cb] (0x4000): [17565] 1558710483.204427: Getting > initial credentials for user@REALM > (Fri May 24 11:08:03 2019) [[sssd[krb5_child[17565 > [sss_child_krb5_trace_cb] (0x4000): [17565] 1558710483.204428: FAST armor > ccache: MEMORY:/var/lib/sss/db/fast_ccache_REALM > (Fri May 24 11:08:03 2019) [[sssd[krb5_child[17565 > [sss_child_krb5_trace_cb] (0x4000): [17565] 1558710483.204429: Retrieving > host/gs6069-ld-i014.dom.ain.com@REALM -> > krb5_ccache_conf_data/fast_avail/krbtgt\/REALM\@REALM > .COM@X-CACHECONF: from MEMORY:/var/lib/sss/db/fast_ccache_REALM with result: > -1765328243/Matching credential not found > (Fri May 24 11:08:03 2019) [[sssd[krb5_child[17565 > [sss_child_krb5_trace_cb] (0x4000): [17565] 1558710483.204431: Sending > unauthenticated request > (Fri May 24 11:08:03 2019) [[sssd[krb5_child[17565 > [sss_child_krb5_trace_cb] (0x4000): [17565] 1558710483.204432: Sending > request (172 bytes) to REALM > (Fri May 24 11:08:03 2019) [[sssd[krb5_child[17565 > [sss_child_krb5_trace_cb] (0x4000): [17565] 1558710483.204433: Initiating TCP > connection to stream 192.168.162.11:88 > (Fri May 24 11:08:03 2019) [[sssd[krb5_child[17565 > [sss_child_krb5_trace_cb] (0x4000): [17565] 1558710483.204434: Sending TCP > request to stream 192.168.162.11:88 > (Fri May 24 11:08:03 2019) [[sssd[krb5_child[17565 > [sss_child_krb5_trace_cb] (0x4000): [17565] 1558710483.204435: Received > answer (299 bytes) from stream 192.168.162.11:88 > (Fri May 24 11:08:03 2019) [[sssd[krb5_child[17565 > [sss_child_krb5_trace_cb] (0x4000): [17565] 1558710483.204436: Terminating > TCP connection to stream 192.168.162.11:88 > (Fri May 24 11:08:03 2019) [[sssd[krb5_child[17565 > [sss_child_krb5_trace_cb] (0x4000): [17565] 1558710483.204437: Response was > from master KDC > > But if I REMOVE krb5_auth_timeout = 15 then it probably times out, and it > logs the user in with the smart card + pin but klist shows NO kerberos > tickets. > > So my question is, do I have to add the external CA certificates to the KDC > separately? They aren't really for our REALM so I don't know how that would > help. > > Running > > kinit -X X509_user_identity='PKCS11:opensc-pkcs11.so' username Can you send the full output of KRB5_TRACE=/dev/stdout kinit -X X509_user_identity='PKCS11:opensc-pkcs11.so' username at least until you are asked for the password? by
