We're running IPA 4.6.4-10.el7 with a CA over 4 replicas on Centos7 and would like to
properly configure smartcard authentication. The smartcards that we're using have been
signed by an External CA controlled by a different entity. So to get that working,
I've added the required CA certs using
ipa-cacert-manage -n "SmartCard CA #1" -t CT,C,C install <CA>.pem
and then ran ipa-certupdate on all replicas, and restarted httpd. I associated the card
authentication cert from the user's smartcard to the Identity using the GUI. I am able
to search using the cert, and it retrieves the user correctly.
I also used ipa-advise config-client-for-smart-card-auth > client_smart_card_script.sh
to create the script, ran it on a client host with the correct CA files. On the client
side I had to edit sssd.conf and add a
[pam]
p11_child_timeout = 15
and it worked and the user was able to log in to the desktop. However, it was taking 40
seconds for the login which sounded like something was timing out. I checked the krb log
and found
(Tue May 21 10:55:44 2019) [sssd[be[dom.ain.com]]] [krb5_child_timeout] (0x0040): Timeout
for child [9822] reached. In case KDC is distant or network is slow you may consider
increasing value of krb5_auth_timeout.
(Tue May 21 10:55:44 2019) [sssd[be[dom.ain.com]]] [krb5_auth_done] (0x0020): child timed
out!
(Tue May 21 10:55:44 2019) [sssd[be[dom.ain.com]]] [child_sig_handler] (0x0020): child
[9822] was terminated by signal [9].
And it reported that the backend was offline
So I added
[
domain/dom.ain.com]
krb5_auth_timeout = 15
and which point, I noticed I didn't have pkinit running on the servers. So I ran
ipa-pkinit-manage enable on all the replicas with a CA and soon
ipa pkiinit-status showed that PKINIT status: enabled. and Backend stopped showing as
offline.
However, that does not solve the issue, and if I have krb5_auth_timeout = 15 in sssd, the
login stops working and instead I get a pre-auth issue: Additional pre-authentication
requird / Matching credential not found
(Fri May 24 11:08:03 2019) [[sssd[krb5_child[17565]]]] [sss_child_krb5_trace_cb] (0x4000):
[17565] 1558710483.204427: Getting initial credentials for user@REALM
(Fri May 24 11:08:03 2019) [[sssd[krb5_child[17565]]]] [sss_child_krb5_trace_cb] (0x4000):
[17565] 1558710483.204428: FAST armor ccache: MEMORY:/var/lib/sss/db/fast_ccache_REALM
(Fri May 24 11:08:03 2019) [[sssd[krb5_child[17565]]]] [sss_child_krb5_trace_cb] (0x4000):
[17565] 1558710483.204429: Retrieving host/gs6069-ld-i014.dom.ain.com@REALM ->
krb5_ccache_conf_data/fast_avail/krbtgt\/REALM\@REALM
.COM@X-CACHECONF: from MEMORY:/var/lib/sss/db/fast_ccache_REALM with result:
-1765328243/Matching credential not found
(Fri May 24 11:08:03 2019) [[sssd[krb5_child[17565]]]] [sss_child_krb5_trace_cb] (0x4000):
[17565] 1558710483.204431: Sending unauthenticated request
(Fri May 24 11:08:03 2019) [[sssd[krb5_child[17565]]]] [sss_child_krb5_trace_cb] (0x4000):
[17565] 1558710483.204432: Sending request (172 bytes) to REALM
(Fri May 24 11:08:03 2019) [[sssd[krb5_child[17565]]]] [sss_child_krb5_trace_cb] (0x4000):
[17565] 1558710483.204433: Initiating TCP connection to stream 192.168.162.11:88
(Fri May 24 11:08:03 2019) [[sssd[krb5_child[17565]]]] [sss_child_krb5_trace_cb] (0x4000):
[17565] 1558710483.204434: Sending TCP request to stream 192.168.162.11:88
(Fri May 24 11:08:03 2019) [[sssd[krb5_child[17565]]]] [sss_child_krb5_trace_cb] (0x4000):
[17565] 1558710483.204435: Received answer (299 bytes) from stream 192.168.162.11:88
(Fri May 24 11:08:03 2019) [[sssd[krb5_child[17565]]]] [sss_child_krb5_trace_cb] (0x4000):
[17565] 1558710483.204436: Terminating TCP connection to stream 192.168.162.11:88
(Fri May 24 11:08:03 2019) [[sssd[krb5_child[17565]]]] [sss_child_krb5_trace_cb] (0x4000):
[17565] 1558710483.204437: Response was from master KDC
But if I REMOVE krb5_auth_timeout = 15 then it probably times out, and it logs the user in
with the smart card + pin but klist shows NO kerberos tickets.
So my question is, do I have to add the external CA certificates to the KDC separately?
They aren't really for our REALM so I don't know how that would help.
Running
kinit -X X509_user_identity='PKCS11:opensc-pkcs11.so' username
prompts the user for the PIN, but after the PIN is entered, it immiediately asks for the
password. So it looks like the part that is failing is the KRB authentication.
Any suggestions would be very appreciated. Ideally I'd like for the smartcard auth to
let the users in in a timely manner (ie ~5-15 seconds) and also give the users a kerberos
ticket.
Thanks!