ok, I see. thanks for fast reply! //Adam
2017-10-20 16:33 GMT+02:00 Sumit Bose <sb...@redhat.com>: > On Thu, Oct 19, 2017 at 12:39:15PM +0200, Winberg, Adam wrote: > > Thanks a bunch, disabling oscp verification works (and to test with > > p11_child you can set the parameter '--verify=no_ocsp'). > > > > So, now I can see in debug logs that sssd finds my smartcard certificate > > but now it fails trying to verify it against the provider (AD). So what > are > > the requirements for this to work on 7.4? This page: > > > > http://rhelblog.redhat.com/2017/09/26/smart-card-support- > in-red-hat-enterprise-linux/ > > > > implies that it is not longer necessary to store the entire certificate > for > > the user in AD. It instead mentions a 'special attribute' but there is no > > detailed information about it there. Is there any more documentation > about > > this? > > I'm sorry, the configurable mapping is currently only availble when > running SSSD on IPA clients. So far I didn't found the time to make the > needed configuration options available to the AD and plain LDAP > provider. So with these you still have to add the certificate to the > user entry. > > bye, > Sumit > > > > > Thanks, > > Adam > > > > > > 2017-10-19 11:19 GMT+02:00 Sumit Bose <sb...@redhat.com>: > > > > > On Thu, Oct 19, 2017 at 10:57:13AM +0200, Winberg, Adam wrote: > > > > I'm trying to get smartcard auth working with sssd on RHEL 7.4. We > > > > currently use a pam_pkcs11/pam_krb5 setup and I was hoping to > simplify > > > this > > > > by using sssd instead. Unfortunately I cant get it to work, sssd > does not > > > > seem to detect my smartcard certificate. > > > > > > > > Running p11_child I get the following: > > > > > > > > $ /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2 > > > > --nssdb=/etc/pki/nssdb --pin > > > > (Thu Oct 19 10:43:19:786759 2017) [[sssd[p11_child[6320]]]] [main] > > > > (0x0400): p11_child started. > > > > (Thu Oct 19 10:43:19:786836 2017) [[sssd[p11_child[6320]]]] [main] > > > > (0x2000): Running in [pre-auth] mode. > > > > (Thu Oct 19 10:43:19:786849 2017) [[sssd[p11_child[6320]]]] [main] > > > > (0x2000): Running with effective IDs: [0][0]. > > > > (Thu Oct 19 10:43:19:786859 2017) [[sssd[p11_child[6320]]]] [main] > > > > (0x2000): Running with real IDs [0][0]. > > > > (Thu Oct 19 10:43:20:755639 2017) [[sssd[p11_child[6320]]]] [do_work] > > > > (0x4000): Default Module List: > > > > (Thu Oct 19 10:43:20:755722 2017) [[sssd[p11_child[6320]]]] [do_work] > > > > (0x4000): common name: [NSS Internal PKCS #11 Module]. > > > > (Thu Oct 19 10:43:20:755753 2017) [[sssd[p11_child[6320]]]] [do_work] > > > > (0x4000): dll name: [(null)]. > > > > (Thu Oct 19 10:43:20:755780 2017) [[sssd[p11_child[6320]]]] [do_work] > > > > (0x4000): common name: [p11-kit-trust]. > > > > (Thu Oct 19 10:43:20:755864 2017) [[sssd[p11_child[6320]]]] [do_work] > > > > (0x4000): dll name: [/usr/lib64/pkcs11/p11-kit-trust.so]. > > > > (Thu Oct 19 10:43:20:755900 2017) [[sssd[p11_child[6320]]]] [do_work] > > > > (0x4000): common name: [OpenSC PKCS #11 Module]. > > > > (Thu Oct 19 10:43:20:755958 2017) [[sssd[p11_child[6320]]]] [do_work] > > > > (0x4000): dll name: [/usr/lib64/pkcs11/opensc-pkcs11.so]. > > > > (Thu Oct 19 10:43:20:755992 2017) [[sssd[p11_child[6320]]]] [do_work] > > > > (0x4000): Dead Module List: > > > > (Thu Oct 19 10:43:20:756025 2017) [[sssd[p11_child[6320]]]] [do_work] > > > > (0x4000): DB Module List: > > > > (Thu Oct 19 10:43:20:756057 2017) [[sssd[p11_child[6320]]]] [do_work] > > > > (0x4000): common name: [NSS Internal Module]. > > > > (Thu Oct 19 10:43:20:756085 2017) [[sssd[p11_child[6320]]]] [do_work] > > > > (0x4000): dll name: [(null)]. > > > > (Thu Oct 19 10:43:20:756112 2017) [[sssd[p11_child[6320]]]] [do_work] > > > > (0x4000): common name: [Policy File]. > > > > (Thu Oct 19 10:43:20:756140 2017) [[sssd[p11_child[6320]]]] [do_work] > > > > (0x4000): dll name: [(null)]. > > > > (Thu Oct 19 10:43:20:771873 2017) [[sssd[p11_child[6320]]]] [do_work] > > > > (0x4000): Description [NSS User Private Key and Certificate Services > > > > Mozilla Foundation ] Manufacturer [Mozilla > > > > Foundation ] flags [1]. > > > > (Thu Oct 19 10:43:20:771969 2017) [[sssd[p11_child[6320]]]] [do_work] > > > > (0x4000): Description [NSS Internal Cryptographic Services > > > > Mozilla Foundation ] Manufacturer [Mozilla > > > > Foundation ] flags [1]. > > > > (Thu Oct 19 10:43:20:772007 2017) [[sssd[p11_child[6320]]]] [do_work] > > > > (0x4000): Description [/usr/share/pki/ca-trust-source > > > > PKCS#11 Kit ] Manufacturer [PKCS#11 > Kit > > > > ] flags [1]. > > > > (Thu Oct 19 10:43:20:772037 2017) [[sssd[p11_child[6320]]]] [do_work] > > > > (0x4000): Description [/etc/pki/ca-trust/source > > > > PKCS#11 Kit ] Manufacturer [PKCS#11 > Kit > > > > ] flags [1]. > > > > (Thu Oct 19 10:43:20:772245 2017) [[sssd[p11_child[6320]]]] [do_work] > > > > (0x4000): Description [Alcor Micro AU9540 00 00 > > > > Generic ] Manufacturer [Generic > > > > ] flags [7]. > > > > (Thu Oct 19 10:43:20:772290 2017) [[sssd[p11_child[6320]]]] [do_work] > > > > (0x4000): Found [identification (Instant EID IP9)] in slot [Alcor > Micro > > > > AU9540 00 00][0] of module [3][/usr/lib64/pkcs11/opensc-pkcs11.so]. > > > > (Thu Oct 19 10:43:20:772320 2017) [[sssd[p11_child[6320]]]] [do_work] > > > > (0x4000): Token is NOT friendly. > > > > (Thu Oct 19 10:43:20:772346 2017) [[sssd[p11_child[6320]]]] [do_work] > > > > (0x4000): Trying to switch to friendly to read certificate. > > > > (Thu Oct 19 10:43:20:772372 2017) [[sssd[p11_child[6320]]]] [do_work] > > > > (0x4000): Login required. > > > > (Thu Oct 19 10:43:20:772397 2017) [[sssd[p11_child[6320]]]] [do_work] > > > > (0x0020): Login required but no pin available, continue. > > > > (Thu Oct 19 10:43:20:773994 2017) [[sssd[p11_child[6320]]]] [do_work] > > > > (0x4000): found cert[identification (Instant EID > > > > IP9):user1][CN=user1,OU=People,DC=ad,DC=example,DC=com] > > > > (Thu Oct 19 10:43:20:774071 2017) [[sssd[p11_child[6320]]]] [do_work] > > > > (0x4000): Filtered certificates: > > > > (Thu Oct 19 10:43:20:774167 2017) [[sssd[p11_child[6320]]]] [do_work] > > > > (0x4000): found cert[identification (Instant EID > > > > IP9):user1][CN=user1,OU=People,DC=ad,DC=example,DC=com] > > > > (Thu Oct 19 10:43:20:804677 2017) [[sssd[p11_child[6320]]]] [do_work] > > > > (0x0040): Certificate [identification (Instant EID > > > > IP9):user1][CN=user1,OU=People,DC=ad,DC=example,DC=com] not valid > > > [-8062], > > > > skipping. > > > > (Thu Oct 19 10:43:20:804857 2017) [[sssd[p11_child[6320]]]] [do_work] > > > > (0x4000): No certificate found. > > > > > > > > > > > > What does the error code '-8062' mean? > > > > > > "The signer of the OCSP response is not authorized to give status for > > > this certificate." > > > > > > Please see e.g. > > > https://www-archive.mozilla.org/projects/security/pki/nss/ > > > ref/ssl/sslerr.html > > > for other error codes as well. I will add a text output to the error > > > code in one of the upcoming versions. > > > > > > It looks like the certificate of the OCSP responder cannot be > validated. > > > Please add the related CA certificates to /etc/pki/nssdb. As an > > > alternative if you do not want to use OCSP you can disable it by > setting > > > > > > certificate_verification = no_ocsp > > > > > > in the [sssd] section of sssd.conf (see man sssd.conf for details) > > > > > > HTH > > > > > > bye, > > > Sumit > > > > > > > > Regards, > > > > Adam > > > > > > > _______________________________________________ > > > > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > > > > To unsubscribe send an email to sssd-users-leave@lists. > fedorahosted.org > > > _______________________________________________ > > > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > > > To unsubscribe send an email to sssd-users-leave@lists. > fedorahosted.org > > > > > > _______________________________________________ > > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org >
_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
