On Thu, Apr 02, 2020 at 03:32:43PM +0200, mbalembo wrote:
Hello,
I'm having trouble adding etoken support to SSSD/openldap on a gentoo.
I have setup nssdb in /etc/pki/nssdb and add Safenet library to access
etoken.
I can successfully get the certificate in token with :
# /usr/libexec/sssd/p11_child --pre --nssdb=/etc/pki/CA/
Hi,
which version of SSSD are you using? I guess you've meant
'--nssdb=/etc/pki/nssdb' in the example above?
now, to sssd itself ;
I'm trying an ssh login, and the output on term is :
# ssh bar(a)example.com
Please enter smart card
Please enter smart card
Please enter smart card
bar(a)example.com: Permission denied (publickey,keyboard-interactive).
With ssh everything is different, please check e.g.
https://docs.pagure.org/SSSD.sssd/design_pages/smartcard_authentication_s...
about how to use Smartcards with ssh. Typically the Smartcard reader is
not attached to the host you want to authenticate to and as a result
SSSD cannot handle the Smartcard authentication in this case.
I can see in p11_child.log that, it use nssdb to (successfully !) connect to
the smartcard.
I can see the correct label, the correct subject.
The keyId is found (I don't understand why i need it and I'm not sure if the
value i picked is right ?)
Anyway, I get my uri, everything seem fine on this side.
Looking at sss_LDAP.log, i can see the request, everything look cool, i got
:
sssd.dataprovider.pamHandler: Success
On the other side, in sss_pam.log i can see the same request but it end with
:
[pam_dp_send_req_done] (0x0200): received: [28 (Module inconnu)][LDAP]
(..)
[pam_eval_prompting_config] (0x4000): No prompting configuration
found.
(Thu Apr 2 15:23:08 2020) [sssd[pam]] [pam_reply] (0x0200): blen: 21
(Thu Apr 2 15:23:08 2020) [sssd[pam]] [pam_reply] (0x0200):
Returning [28]: Module inconnu to the client
(Thu Apr 2 15:23:08 2020) [sssd[pam]] [client_recv] (0x0200):
Client disconnected!
I'm confused at how to understand this.
The sssd.conf is attached.
Thanks,
Marc
[sssd]
config_file_version = 2
reconnection_retries = 3
services = nss, pam
# SSSD will not start if you do not configure any domains.
# Add new domain configurations as [domain/<NAME>] sections, and
# then add the list of domains (in the order you want them to be
# queried) to the "domains" attribute below and uncomment it.
domains = LDAP
certificate_verification = no_oscp
#certificate_verification = no_verification
debug_level = 6
[nss]
#filter_users = root,admin,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd
[pam]
pam_cert_auth = True
pam_p11_allowed_services = +sddm, +sddm-helper, +kde, +sshd
Please do not 'sshd' here as mentioned above this would not work. For
the first steps I would recommend to try to log in on a text console or
try after logging in to the host where the Smartcard reader is connected
to run 'su' or 'sudo'. I have not tested sddm or kdm, so I'm not sure
if
they should work out of the box.
Feel free to send the SSSD logs if Smartcard authentication with
/bin/login, su or sudo still does not work.
HTH
bye,
Sumit
p11_wait_for_card_timeout = 10
p11_child_timeout = 10
#debug_level = 6
[domain/files]
id_provider = files
# Example LDAP domain
[domain/LDAP]
id_provider = ldap
auth_provider = ldap
# ldap_schema can be set to "rfc2307", which stores group member names in the
# "memberuid" attribute, or to "rfc2307bis", which stores group
member DNs in
# the "member" attribute. If you do not know this value, ask your LDAP
# administrator.
ldap_schema = rfc2307
ldap_uri =
ldap://example.com
ldap_search_base = dc=example,dc=com
#ldap_tls_reqcert = never
filter = "(&(objectClass=posixAccount)(uid=%s))"
ldap_user_certificate = userCertificate;binary
# Note that enabling enumeration will have a moderate performance impact.
# Consequently, the default value for enumeration is FALSE.
# Refer to the sssd.conf man page for full details.
enumerate = true
# Allow offline logins by locally storing password hashes (default: false).
cache_credentials = true
[certmap/LDAP/bar]
#matchrule = <ISSUER>^C = FR, ST = France, O = Example, CN = Example Intermediate
CA$
matchrule = <SUBJECT>^CN=bar,O=Example,ST=France,C=FR$
maprule = (userCertificate;binary={cert!bin})
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...