On Fri, Nov 09, 2018 at 01:05:19PM +0100, Natxo Asenjo via FreeIPA-users wrote:
> hi Sumit,
> On Fri, Nov 9, 2018 at 12:53 PM Sumit Bose via FreeIPA-users <
> email@example.com> wrote:
> > I would suggest to first check if SSSD can see the certificate as well.
> > For this please call:
> > /usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --nssdb=/etc/pki/nssdb
> > --pre
> > At the end you should see the base64 enoded certificate with some other
> > Smartcard details. If not the debug output might help to figure out why
> > the certificate was not found.
> ok, it does not see anything:
> $ /usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --nssdb=/etc/pki/nssdb
Ah, sorry, I forgot you use F29. On F29 SSSD does not use NSS anymore. Please add your CA
certificates in PEM format to /etc/sssd/pki/sssd_auth_ca_db.pem and call
/usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --nssdb=/etc/sssd/pki/sssd_auth_ca_db.pem --pre
again. Please check man sssd.conf and search for 'openssl' to see the
differences between the NSS and OpenSSL version.
Thanks, working perfectly now, awesome.