We're running IPA 4.6.4-10.el7 with a CA over 4 replicas on Centos7 and would like to properly configure smartcard authentication. The smartcards that we're using have been signed by an External CA controlled by a different entity. So to get that working, I've added the required CA certs using
ipa-cacert-manage -n "SmartCard CA #1" -t CT,C,C install <CA>.pem and then ran ipa-certupdate on all replicas, and restarted httpd. I associated the card authentication cert from the user's smartcard to the Identity using the GUI. I am able to search using the cert, and it retrieves the user correctly. I also used ipa-advise config-client-for-smart-card-auth > client_smart_card_script.sh to create the script, ran it on a client host with the correct CA files. On the client side I had to edit sssd.conf and add a [pam] p11_child_timeout = 15 and it worked and the user was able to log in to the desktop. However, it was taking 40 seconds for the login which sounded like something was timing out. I checked the krb log and found (Tue May 21 10:55:44 2019) [sssd[be[dom.ain.com]]] [krb5_child_timeout] (0x0040): Timeout for child [9822] reached. In case KDC is distant or network is slow you may consider increasing value of krb5_auth_timeout. (Tue May 21 10:55:44 2019) [sssd[be[dom.ain.com]]] [krb5_auth_done] (0x0020): child timed out! (Tue May 21 10:55:44 2019) [sssd[be[dom.ain.com]]] [child_sig_handler] (0x0020): child [9822] was terminated by signal [9]. And it reported that the backend was offline So I added [domain/dom.ain.com] krb5_auth_timeout = 15 and which point, I noticed I didn't have pkinit running on the servers. So I ran ipa-pkinit-manage enable on all the replicas with a CA and soon ipa pkiinit-status showed that PKINIT status: enabled. and Backend stopped showing as offline. However, that does not solve the issue, and if I have krb5_auth_timeout = 15 in sssd, the login stops working and instead I get a pre-auth issue: Additional pre-authentication requird / Matching credential not found (Fri May 24 11:08:03 2019) [[sssd[krb5_child[17565]]]] [sss_child_krb5_trace_cb] (0x4000): [17565] 1558710483.204427: Getting initial credentials for user@REALM (Fri May 24 11:08:03 2019) [[sssd[krb5_child[17565]]]] [sss_child_krb5_trace_cb] (0x4000): [17565] 1558710483.204428: FAST armor ccache: MEMORY:/var/lib/sss/db/fast_ccache_REALM (Fri May 24 11:08:03 2019) [[sssd[krb5_child[17565]]]] [sss_child_krb5_trace_cb] (0x4000): [17565] 1558710483.204429: Retrieving host/gs6069-ld-i014.dom.ain.com@REALM -> krb5_ccache_conf_data/fast_avail/krbtgt\/REALM\@REALM .COM@X-CACHECONF: from MEMORY:/var/lib/sss/db/fast_ccache_REALM with result: -1765328243/Matching credential not found (Fri May 24 11:08:03 2019) [[sssd[krb5_child[17565]]]] [sss_child_krb5_trace_cb] (0x4000): [17565] 1558710483.204431: Sending unauthenticated request (Fri May 24 11:08:03 2019) [[sssd[krb5_child[17565]]]] [sss_child_krb5_trace_cb] (0x4000): [17565] 1558710483.204432: Sending request (172 bytes) to REALM (Fri May 24 11:08:03 2019) [[sssd[krb5_child[17565]]]] [sss_child_krb5_trace_cb] (0x4000): [17565] 1558710483.204433: Initiating TCP connection to stream 192.168.162.11:88 (Fri May 24 11:08:03 2019) [[sssd[krb5_child[17565]]]] [sss_child_krb5_trace_cb] (0x4000): [17565] 1558710483.204434: Sending TCP request to stream 192.168.162.11:88 (Fri May 24 11:08:03 2019) [[sssd[krb5_child[17565]]]] [sss_child_krb5_trace_cb] (0x4000): [17565] 1558710483.204435: Received answer (299 bytes) from stream 192.168.162.11:88 (Fri May 24 11:08:03 2019) [[sssd[krb5_child[17565]]]] [sss_child_krb5_trace_cb] (0x4000): [17565] 1558710483.204436: Terminating TCP connection to stream 192.168.162.11:88 (Fri May 24 11:08:03 2019) [[sssd[krb5_child[17565]]]] [sss_child_krb5_trace_cb] (0x4000): [17565] 1558710483.204437: Response was from master KDC But if I REMOVE krb5_auth_timeout = 15 then it probably times out, and it logs the user in with the smart card + pin but klist shows NO kerberos tickets. So my question is, do I have to add the external CA certificates to the KDC separately? They aren't really for our REALM so I don't know how that would help. Running kinit -X X509_user_identity='PKCS11:opensc-pkcs11.so' username prompts the user for the PIN, but after the PIN is entered, it immiediately asks for the password. So it looks like the part that is failing is the KRB authentication. Any suggestions would be very appreciated. Ideally I'd like for the smartcard auth to let the users in in a timely manner (ie ~5-15 seconds) and also give the users a kerberos ticket. Thanks! _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
