On Tue, Jun 04, 2019 at 09:54:45AM -0400, Robbie Harwood via FreeIPA-users wrote:
Khurrum Maqb via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org>
writes:
> That worked! Thanks so much! I can login and successfully receive a kerberos ticket
when using a smartcard to login.
> I also added the following to /etc/krb5.conf to match only a single cert for pkinit
>
> pkinit_cert_match =
&&<EKU>msScLogin,clientAuth<KU>digitalSignature
>
> I am now down to 15 seconds for logins (which is better than the 30-50
> seconds) which is still on the slow side but I think the reason might
> be the 4 valid and 5 expired certs on the card. I'm guessing it might
> be looping through all the certs which is adding all this extra
> time. Just off the top of your head, do you know if there is a krb and
> p11 config somewhere that would allow me to limit desktop/client
> device logins to using only slot 01 on the card and ignore the rest?
krb5 lets you specify this on a global basis in the configuration file,
but it doesn't sound like what you want. (See the penultimate section
of "Specifying PKINIT identity information" in krb5.conf(5).)
On the SSSD side, which is responsible for the login, you can use the
p11_uri option with recent version. If there is an entry of p11_uri in
man sssd.conf your platform should already support this and it can be
used.
HTH
bye,
Sumit
Thanks,
--Robbie
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...