Yes:
Package krb5-pkinit-1.20.1-8.el9.x86_64 is already installed.
Dependencies resolved.
Nothing to do.
Complete!
Best,
Francis
On 28 Jun 2023, at 08:03, Francis Augusto Medeiros-Logeay via
FreeIPA-users <freeipa-users(a)lists.fedorahosted.org> wrote:
> On 28 Jun 2023, at 07:50, Sumit Bose via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> wrote:
>
> Am Wed, Jun 28, 2023 at 07:23:58AM +0200 schrieb Francis Augusto Medeiros-Logeay:
>>
>>
>>> On 23 Jun 2023, at 10:52, Sumit Bose via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> wrote:
>>>
>>> Am Fri, Jun 23, 2023 at 09:03:55AM +0200 schrieb Francis Augusto
Medeiros-Logeay via FreeIPA-users:
>>>>
>>>>
>>>>> On 22 Jun 2023, at 14:48, Rob Crittenden via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> wrote:
>>>>>
>>>>> Francis Augusto Medeiros-Logeay via FreeIPA-users wrote:
>>>>>> Hi,
>>>>>>
>>>>>> We have an application that requires Active Directory. In order
to
>>>>>> provide SSO, the application gets a user certificate from AD and,
as I
>>>>>> understand, uses it towards a RHEL machine as a smart card. I
installed
>>>>>> AD's ca certificates on the RHEL client and it works when
sssd.conf is
>>>>>> all configured towards AD.
>>>>>>
>>>>>> I've joined the client to AD, as I said, but I do want my
`id_provider`
>>>>>> in `sssd.conf` to be `ldap` so that it gets my group info from
FreeIPA.
>>>>>> But when I do this, the authentication doesn't work.
>>>>>>
>>>>>> Is there a way to either force pam/sssd to check the
certificates
>>>>>> against AD while still getting groups and names from ldap, or to
get
>>>>>> FreeIPA to approve the certificates?
>>>>>>
>>>>>> I know this might be a very corner case, but if we make it works,
this
>>>>>> would be beautiful.
>>>>>
>>>>
>>>> Thanks Rob!
>>>>
>>>>> IMHO you should cross-post this to the SSSD users list as this seems
>>>>> more their area,
>>>>>
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
>>>>
>>>> I posted it there first, tbh, but got no reply.
>>>>
>>>>> I think expanding on your configuration would help too. Are you
using
>>>>> the IPA certificate mapping to map the AD-issued certificates to an
IPA
>>>>> user for authentication?
>>>>
>>>> No. The users are the same on both - same uid, gid, etc, but no
connection, trust, or anything.
>>>> The mapping on sssd.conf is this one:
>>>>
>>>> [
certmap/mydomain.com/truesso] #Add this section and
following lines to set match and map rule for certificate user
>>>> matchrule = <EKU>msScLogin
>>>> maprule =
(|(userPrincipal={subject_principal})(samAccountName={subject_principal.short_name}))
>>>> domains =
mydomain.com
>>>> priority = 10
>>>>
>>>> When id_provider = ad, it works, but not when it is `ldap`. But the
users, in principle, are the same. Could it be those attributes that are wrong?
>>>
>>> Hi,
>>>
>>> with 'id_provider = ad' the 'auth_provider' will be
'ad' as well, which
>>> is basically 'auth_provider = krb5' and Smartcard authentication is
done
>>> the Kerberos way. With 'id_provider = ldap' the
'auth_provider' will be
>>> 'ldap' as well, so you might have to explicitly add
'auth_provider =
>>> krb5'
>>>
>>> Additionally, the 'maprule' is looking for LDAP attributes, so you
IPA
>>> user must at least have the 'userPrincipal' attribute set with the
>>> principal which is stored in the subject alternative names of the
>>> certificate.
>>>
>>> Feel free to add 'debug_level = 9' to the [pam] and [domain/...]
>>> sections of sssd.conf, restart SSSD, try again and send the SSSD logs
>>> here.
>>>
>>> bye,
>>> Sumit
>>
>>
>> Hi Sumit,
>>
>> It fails on RHEL 9, though - before I was doing it on RHEL 9.
>>
>> I get this:
>>
>> Jun 28 07:21:09 sso-rhel-test krb5_child[3447]: Pre-authentication failed:
Preauthentication failed
>> Jun 28 07:21:09 sso-rhel-test desktopWorker[2796]: pam_sss(gdm-password:auth):
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=francis
>> Jun 28 07:21:09 sso-rhel-test krb5_child[3447]: Pre-authentication failed:
Preauthentication failed
>> Jun 28 07:21:09 sso-rhel-test desktopWorker[2796]: pam_sss(gdm-password:auth):
received for user francis: 7 (Authentication failure)
>> Jun 28 07:21:09 sso-rhel-test desktopWorker[2796]: gkr-pam: unable to locate
daemon control file
>> Jun 28 07:21:09 sso-rhel-test desktopWorker[2796]: gkr-pam: stashed password to
try later in open ses
>>
>> Exact same configuration. Neither password nor certificate works, though password
works on ssh.
>>
>> Any tips here?
>
> Hi,
>
> this might be related to
>
https://bugzilla.redhat.com/show_bug.cgi?id=2214300
> (
https://bugzilla.redhat.com/show_bug.cgi?id=2155607 is the
> corresponding RHEL-9 ticket, but this is mostly private). Does it work
> any better if you set
>
> update-crypto-policies --set LEGACY:AD-SUPPORT-LEGACY
>
> bye,
> Sumit
>
Not really. I get this:
Jun 28 08:02:00 sso-rhel-test krb5_child[3019]: Pre-authentication failed:
Preauthentication failed
Jun 28 08:02:00 sso-rhel-test krb5_child[3019]: Pre-authentication failed:
Preauthentication failed
Jun 28 08:02:00 sso-rhel-test desktopWorker[2835]: pam_sss(gdm-vmwcred:auth):
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=francis
Jun 28 08:02:00 sso-rhel-test desktopWorker[2835]: pam_sss(gdm-vmwcred:auth): received
for user francis: 7 (Authentication failure)
Jun 28 08:02:01 sso-rhel-test krb5_child[3083]: Cannot read password
Jun 28 08:02:01 sso-rhel-test krb5_child[3083]: Cannot read password
Jun 28 08:02:01 sso-rhel-test desktopWorker[2835]: pam_sss(gdm-vmwcred:auth):
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=francis
Jun 28 08:02:01 sso-rhel-test desktopWorker[2835]: pam_sss(gdm-vmwcred:auth): received
for user francis: 15 (Authentication service cannot retrieve user credentials)
Jun 28 08:02:01 sso-rhel-test desktopWorker[2835]: gkr-pam: unable to locate daemon
control file
Jun 28 08:02:01 sso-rhel-test desktopWorker[2835]: gkr-pam: stashed password to try later
in open session
Jun 28 08:02:10 sso-rhel-test krb5_child[3112]: Pre-authentication failed:
Preauthentication failed
Jun 28 08:02:10 sso-rhel-test krb5_child[3112]: Pre-authentication failed:
Preauthentication failed
Jun 28 08:02:10 sso-rhel-test desktopWorker[2835]: pam_sss(gdm-password:auth):
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=francis
Jun 28 08:02:10 sso-rhel-test desktopWorker[2835]: pam_sss(gdm-password:auth): received
for user francis: 7 (Authentication failure)
Jun 28 08:02:10 sso-rhel-test desktopWorker[2835]: gkr-pam: unable to locate daemon
control file
Best,
Francis
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue