Dear all,
I am having a bit of a broad issue, so I am not sure how and where to write, but maybe
someone can point me into the right direction.
I have a usecase where I got some Gemalto eToken 5110 which are quite properitary, but
work with their own libraries in accordance with pam_pkcs11 (not with opensc in any way or
form).
The system this is being worked on is a Debian 12 machine, included into our freeIPA.
The certificates configured on these eTokens have a UPN username / X509v3 Subject
Alternative Name for Windows Login.
The certificates are from another authority and are unknown to our freeIPA - and we cannot
reach the other authority.
To still use them, we included pam_pkcs11 with check for the root CA, signature and CRL,
which all work.
To login the users, I took the pam_pkcs11 with the generic mapper and map the UPN name to
one of our freeIPA usernames, which have been logged into the Debian 12 system
beforehand.
This works very well, meaning that all our eTokens (basically subscribing to the same UPN
username, but still being different certs) are mapped to this one internal user which has
been created on the freeIPA. Thanks to this rework, any member can take his/her eToken and
successfully log into the system.
However, it does not trigger the generation of the Kerberos Ticket for the freeIPA user
that its logged into.
This is the final step I would need for this to work, as this Kerberos Ticket is the key
to all the applications needed to run.
Any idea how I can solve this?
Thanks so much!
Show replies by date