On Fri, Nov 09, 2018 at 01:05:19PM +0100, Natxo Asenjo via FreeIPA-users wrote:
hi Sumit,
On Fri, Nov 9, 2018 at 12:53 PM Sumit Bose via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
>
> I would suggest to first check if SSSD can see the certificate as well.
> For this please call:
>
> /usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --nssdb=/etc/pki/nssdb
> --pre
>
> At the end you should see the base64 enoded certificate with some other
> Smartcard details. If not the debug output might help to figure out why
> the certificate was not found.
ok, it does not see anything:
$ /usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --nssdb=/etc/pki/nssdb
--pre
Ah, sorry, I forgot you use F29. On F29 SSSD does not use NSS anymore. Please add your CA
certificates in PEM format to /etc/sssd/pki/sssd_auth_ca_db.pem and call
/usr/libexec/sssd/p11_child -d 10 --debug-fd=1
--nssdb=/etc/sssd/pki/sssd_auth_ca_db.pem --pre
again. Please check man sssd.conf and search for 'openssl' to see the
differences between the NSS and OpenSSL version.
HTH
bye,
Sumit
(Fri Nov 9 12:58:37:924551 2018) [[sssd[p11_child[6490]]]] [main]
(0x0400): p11_child started.
(Fri Nov 9 12:58:37:924597 2018) [[sssd[p11_child[6490]]]] [main]
(0x2000): Running in [pre-auth] mode.
(Fri Nov 9 12:58:37:924612 2018) [[sssd[p11_child[6490]]]] [main]
(0x2000): Running with effective IDs: [1000][1000].
(Fri Nov 9 12:58:37:924624 2018) [[sssd[p11_child[6490]]]] [main]
(0x2000): Running with real IDs [1000][1000].
(Fri Nov 9 12:58:37:925728 2018) [[sssd[p11_child[6490]]]]
[init_verification] (0x0040): X509_LOOKUP_load_file failed
[185090184][error:0B084088:x509 certificate
routines:X509_load_cert_crl_file:no certificate or crl found].
(Fri Nov 9 12:58:37:925742 2018) [[sssd[p11_child[6490]]]] [do_work]
(0x0040): init_verification failed.
(Fri Nov 9 12:58:37:925753 2018) [[sssd[p11_child[6490]]]] [main]
(0x0040): do_work failed.
(Fri Nov 9 12:58:37:925762 2018) [[sssd[p11_child[6490]]]] [main]
(0x0020): p11_child failed!
but certutil sees it ok, after entering the pin:
$ certutil -L -d /etc/pki/nssdb/ -h user10
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
Enter Password or Pin for "user10":
user10:Certificate for PIV Authentication u,u,u
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...