On Fri, Oct 25, 2019, at 4:41 PM, James Ralston wrote:
On Mon, Oct 21, 2019 at 4:25 PM James Cassell
> PuTTY can do this ticket forwarding. The limiting factor is
> convincing the Active Directory team (or the security team) to
> enable the checkbox "Trust this computer for delegation to any
> service (Kerberos only)" -- there is also an adcli command line
> arg to set this option on Computer Account creation, but I've
> not tried setting it with adcli. I've gotten this working for
> the subset of machines for which InfoSec approved using
> the "Trust this computer for delegation to any
> service (Kerberos only)" checkbox.
Interesting. Is this a setting on the computer object of the target
host, or on the (Windows) client where PuTTY is being executed?
This is a setting on each Computer object. Delegation is only allowed when connection to
machines that have it set, so from my Windows workstation, delegation would work when
connecting to some machines but not others depending on the setting for each target
machine. Linux doesn't seem to honor the setting, so you can delegate anywhere with
> (Side note: is there a good guide to setting up NFSv4 w/
> I've been wanting to do this instead of forcing cifs/samba into its
> place... virtually every NFS guide I've found left things
I wasn't able to find a good guide; we had to puzzle out the
I can try to write up a guide for that (in my copious free time, ha),
but in the meantime, shoot me off-list mail if you have specific
Thanks for the offer. I know how it goes with free time...
> I was also able to get this [smartcard login] working at the
> console. I didn't do anything special for the console; it just
> worked once the GUI was working.
I've been able to get /usr/bin/login to prompt for the username/PIN,
but it still fails, even after I enter the correct PIN (that works in
This might be a PAM stack configuration issue, though. I'll have to
dig into it further.
Last I tested this, I think I was using pam_sss solely, not also pam_pkcs11, which is
required if you need to enforce smart card login at the machine level (rather than
globally in AD.)
> I'm in a similar situation... hoping to not write my own
> ansible role, but I'll probably need to write one since I didn't see
> a good existing one.
I figured out a way to avoid needing to maintain certificates in
/etc/pki/nssdb. You only need to do these two things:
$ pkcs11-switch opensc
$ ln -s /usr/lib64/libnssckbi.so /etc/pki/nssdb/
As long as alternatives is using p11-kit-trust.so:
$ alternatives --display libnssckbi.so.x86_64
libnssckbi.so.x86_64 - status is auto.
link currently points to /usr/lib64/pkcs11/p11-kit-trust.so
/usr/lib64/pkcs11/p11-kit-trust.so - priority 30
/usr/lib64/nss/libnssckbi.so - priority 10
Current `best' version is /usr/lib64/pkcs11/p11-kit-trust.so.
…then p11-kit-trust.so will automatically shim the certificate trust
database maintained by update-ca-trust(8) into NSSDB.
Awesome, that sounds like a huge time saver! I'm going to try that next week.
> It's [smartcard logins] certainly not going away anytime
> companies who have government, and especially DoD, contracts.
I did finally get full sssd PKINIT logins working with gdm, BTW.
Thanks to you (and you, Sumit) for your assistance; it was
Next step: to write a guide for this and throw it up somewhere (GitHub
or Pagure) so that others can contribute and expand it…
That would be great!