Am Mon, May 24, 2021 at 08:51:14AM -0000 schrieb Gary Letth:
Hi Sumit
I followed your instructions to the letter and managed to log on with a smart card twice.
Then on the third attempt it failed. This is what the krb5_child.log looks like:
Hi,
the first two requests use the KDC/AD DC with IP address:
...
(2021-05-22 21:39:10): [krb5_child[12908]] [sss_child_krb5_trace_cb]
(0x4000): [12908] 1621712350.619247: Sending request (5547 bytes) to
XXXXX.XXXXX.NET
(2021-05-22 21:39:10): [krb5_child[12908]] [sss_child_krb5_trace_cb] (0x4000): [12908]
1621712350.619248: Initiating TCP connection to stream 192.168.0.1:88
(2021-05-22 21:39:10): [krb5_child[12908]] [sss_child_krb5_trace_cb] (0x4000): [12908]
1621712350.619249: Sending TCP request to stream 192.168.0.1:88
...
(2021-05-22 21:41:02): [krb5_child[14076]] [sss_child_krb5_trace_cb] (0x4000): [14076]
1621712462.113664: Sending request (5547 bytes) to
XXXXX.XXXXX.NET
(2021-05-22 21:41:02): [krb5_child[14076]] [sss_child_krb5_trace_cb] (0x4000): [14076]
1621712462.113665: Initiating TCP connection to stream 192.168.0.1:88
(2021-05-22 21:41:02): [krb5_child[14076]] [sss_child_krb5_trace_cb] (0x4000): [14076]
1621712462.113666: Sending TCP request to stream 192.168.0.1:88
While for the last the AD DC with IP address
...
(2021-05-22 22:01:52): [krb5_child[21961]] [sss_child_krb5_trace_cb]
(0x4000): [21961] 1621713712.123183: Sending request (5547 bytes) to
XXXXX.XXXXX.NET
(2021-05-22 22:01:52): [krb5_child[21961]] [sss_child_krb5_trace_cb] (0x4000): [21961]
1621713712.123184: Initiating TCP connection to stream 192.168.0.2:88
(2021-05-22 22:01:52): [krb5_child[21961]] [sss_child_krb5_trace_cb] (0x4000): [21961]
1621713712.123185: Sending TCP request to stream 192.168.0.2:88
(2021-05-22 22:01:52): [krb5_child[21961]] [sss_child_krb5_trace_cb] (0x4000): [21961]
1621713712.123186: Received answer (4732 bytes) from stream 192.168.0.2:88
(2021-05-22 22:01:52): [krb5_child[21961]] [sss_child_krb5_trace_cb] (0x4000): [21961]
1621713712.123187: Terminating TCP connection to stream 192.168.0.2:88
(2021-05-22 22:01:52): [krb5_child[21961]] [sss_child_krb5_trace_cb] (0x4000): [21961]
1621713712.123188: Response was from master KDC
(2021-05-22 22:01:52): [krb5_child[21961]] [sss_child_krb5_trace_cb] (0x4000): [21961]
1621713712.123189: Processing preauth types: PA-PK-AS-REP (17)
(2021-05-22 22:01:52): [krb5_child[21961]] [sss_child_krb5_trace_cb] (0x4000): [21961]
1621713712.123190: PKINIT OpenSSL error: Failed to verify received certificate (depth 0):
unable to get local issuer certificate
(2021-05-22 22:01:52): [krb5_child[21961]] [sss_child_krb5_trace_cb] (0x4000): [21961]
1621713712.123191: PKINIT client could not verify DH reply
(2021-05-22 22:01:52): [krb5_child[21961]] [sss_child_krb5_trace_cb] (0x4000): [21961]
1621713712.123192: Preauth module pkinit (17) (real) returned: -1765328314/Failed to
verify received certificate (depth 0): unable to get local issuer certificate
...
So it look like you have all needed certificates to verify the AD DC
certificate of 192.168.0.1 in the pkinit_anchors but the one for
192.168.0.2 is missing. I guess you have added the AD DC certificate of
192.168.0.1 directly and not the one of the CA which signed it, I assume
both AD DC certificates where issues by the same CA.
HTH
bye,
Sumit