Hi,

I'm trying to configure smartcard (pkinit) authentication against Active Directory on latest CentOS without success.

AD authentication without smartcard works without problems and standalone kinit with smartcard also works but I can't managed to login with smartcard and sssd.

Is it supposed to work in current state? What problem does mentioned patch addresses?

I included krb5.conf, sssd.conf and krb5_child.log. What I considered strange is this part:

(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [sss_krb5_responder] (0x4000): Got question [pkinit].

(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [answer_pkinit] (0x4000): [0] Identity [PKCS11:module_name=libcoolkeypk11.so:slotid=1:token=Pavel Arnošt] flags [0].

(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [answer_pkinit] (0x4000): Setting pkinit_prompting.

(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [sss_krb5_prompter] (0x4000): sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL.

(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [sss_krb5_prompter] (0x4000): Prompt [0][Pavel Arnošt PIN].

(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [sss_krb5_prompter] (0x0020): Cannot handle password prompts.

(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [sss_child_krb5_trace_cb] (0x4000): [7776] 1539589654.87842: PKINIT client has no configured identity; giving up

(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [sss_child_krb5_trace_cb] (0x4000): [7776] 1539589654.87843: Preauth module pkinit (16) (real) returned: -1765328360/Preauthentication failed

i.e. X509 identity is found but not used and prompt for PIN is ignored?

What can be wrong? Thanks.

krb5.conf:

[libdefaults]

dns_lookup_realm = false

ticket_lifetime = 24h

renew_lifetime = 7d

forwardable = true

dns_canonicalize_hostname = false

rdns = false

default_realm = VALVERA.LOCAL

default_ccache_name = KEYRING:persistent:%{uid}

[realms]

VALVERA.LOCAL = {

kdc = 172.30.30.30

admin_server = 172.30.30.30

pkinit_anchors = FILE:/etc/ca.crt

pkinit_eku_checking = kpServerAuth

pkinit_kdc_hostname = valvera.local

pkinit_identities = PKCS11:libcoolkeypk11.so

}

sssd.conf:

[sssd]

debug_level = 9

domains = valvera.local

config_file_version = 2

services = nss, pam

[pam]

pam_cert_auth = True

[domain/valvera.local]

debug_level = 9

ad_domain = valvera.local

krb5_realm = VALVERA.LOCAL

ldap_user_certificate = userCertificate;binary

realmd_tags = manages-system joined-with-samba

cache_credentials = True

id_provider = ad

krb5_store_password_if_offline = True

default_shell = /bin/bash

ldap_id_mapping = True

use_fully_qualified_names = False

fallback_homedir = /home/%d/%u

access_provider = ad

krb5_child.log:

(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [main] (0x0400): krb5_child started.

(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [unpack_buffer] (0x1000): total buffer size: [202]

(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [unpack_buffer] (0x0100): cmd [249] uid [650201177] gid [650200513] validate [true] enterprise principal [true] offline [false] UPN [arnost@VALVERA.LOCAL]

(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [unpack_buffer] (0x0100): ccname: [KEYRING:persistent:650201177] old_ccname: [KEYRING:persistent:650201177] keytab: [/etc/krb5.keytab]

(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [check_use_fast] (0x0100): Not using FAST.

(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket

(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [main] (0x2000): Running as [0][0].

(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [k5c_setup] (0x2000): Running as [0][0].

(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [set_lifetime_options] (0x0100): No specific renewable lifetime requested.

(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [set_lifetime_options] (0x0100): No specific lifetime requested.

(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [set_canonicalize_option] (0x0100): Canonicalization is set to [true]

(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [main] (0x0400): Will perform pre-auth

(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [tgt_req_child] (0x1000): Attempting to get a TGT

(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [get_and_save_tgt] (0x4000): Found Smartcard credentials, trying pkinit.

(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [get_pkinit_identity] (0x4000): Got [Pavel Arnošt][libcoolkeypk11.so].

(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [get_pkinit_identity] (0x4000): Using pkinit identity [PKCS11:module_name=libcoolkeypk11.so:token=Pavel Arnošt:certid=0001].

(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [VALVERA.LOCAL]

(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [sss_child_krb5_trace_cb] (0x4000): [7776] 1539589653.480064: Getting initial credentials for arnost\@VALVERA.LOCAL@VALVERA.LOCAL

(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [sss_child_krb5_trace_cb] (0x4000): [7776] 1539589653.480066: Sending request (209 bytes) to VALVERA.LOCAL

(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [sss_child_krb5_trace_cb] (0x4000): [7776] 1539589653.480067: Initiating TCP connection to stream 172.30.30.30:88

(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [sss_child_krb5_trace_cb] (0x4000): [7776] 1539589653.480068: Sending TCP request to stream 172.30.30.30:88

(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [sss_child_krb5_trace_cb] (0x4000): [7776] 1539589653.480069: Received answer (189 bytes) from stream 172.30.30.30:88

(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [sss_child_krb5_trace_cb] (0x4000): [7776] 1539589653.480070: Terminating TCP connection to stream 172.30.30.30:88

(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [sss_child_krb5_trace_cb] (0x4000): [7776] 1539589653.480071: Response was from master KDC

(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [sss_child_krb5_trace_cb] (0x4000): [7776] 1539589653.480072: Received error from KDC: -1765328359/Additional pre-authentication required

(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [sss_child_krb5_trace_cb] (0x4000): [7776] 1539589653.480075: Processing preauth types: 16, 15, 19, 2

(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [sss_child_krb5_trace_cb] (0x4000): [7776] 1539589653.480076: Selected etype info: etype aes256-cts, salt "VALVERA.LOCALarnost", params ""