Got smartcard auth working once I added my smart card cert to my user
account in AD. So thats good! Kerberos/pkinit seems to work also (I already
had that setup to work with pam_krb5 before), also good!
But is adding the smartcard cert to AD accounts the 'correct' way to go
about this or is there something new and better/easier, as the blog post
hinted about?
//Adam
2017-10-19 13:17 GMT+02:00 Winberg, Adam <adam.winberg(a)smhi.se>:
I've been debugging the OCSP issue as well and we can see that
the OCSP
server responds to the request. This response is signed by a cert which is
issued by our CA, and that cert is indeed in my nssdb. So should this not
work? Do I have to have the actual OCSP server cert in nssdb, does
certificate chaining not work here?
Regards
Adam
2017-10-19 12:39 GMT+02:00 Winberg, Adam <adam.winberg(a)smhi.se>:
> Thanks a bunch, disabling oscp verification works (and to test with
> p11_child you can set the parameter '--verify=no_ocsp').
>
> So, now I can see in debug logs that sssd finds my smartcard certificate
> but now it fails trying to verify it against the provider (AD). So what are
> the requirements for this to work on 7.4? This page:
>
>
http://rhelblog.redhat.com/2017/09/26/smart-card-support-in-
> red-hat-enterprise-linux/
>
> implies that it is not longer necessary to store the entire certificate
> for the user in AD. It instead mentions a 'special attribute' but there is
> no detailed information about it there. Is there any more documentation
> about this?
>
> Thanks,
> Adam
>
>
> 2017-10-19 11:19 GMT+02:00 Sumit Bose <sbose(a)redhat.com>:
>
>> On Thu, Oct 19, 2017 at 10:57:13AM +0200, Winberg, Adam wrote:
>> > I'm trying to get smartcard auth working with sssd on RHEL 7.4. We
>> > currently use a pam_pkcs11/pam_krb5 setup and I was hoping to simplify
>> this
>> > by using sssd instead. Unfortunately I cant get it to work, sssd does
>> not
>> > seem to detect my smartcard certificate.
>> >
>> > Running p11_child I get the following:
>> >
>> > $ /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2
>> > --nssdb=/etc/pki/nssdb --pin
>> > (Thu Oct 19 10:43:19:786759 2017) [[sssd[p11_child[6320]]]] [main]
>> > (0x0400): p11_child started.
>> > (Thu Oct 19 10:43:19:786836 2017) [[sssd[p11_child[6320]]]] [main]
>> > (0x2000): Running in [pre-auth] mode.
>> > (Thu Oct 19 10:43:19:786849 2017) [[sssd[p11_child[6320]]]] [main]
>> > (0x2000): Running with effective IDs: [0][0].
>> > (Thu Oct 19 10:43:19:786859 2017) [[sssd[p11_child[6320]]]] [main]
>> > (0x2000): Running with real IDs [0][0].
>> > (Thu Oct 19 10:43:20:755639 2017) [[sssd[p11_child[6320]]]] [do_work]
>> > (0x4000): Default Module List:
>> > (Thu Oct 19 10:43:20:755722 2017) [[sssd[p11_child[6320]]]] [do_work]
>> > (0x4000): common name: [NSS Internal PKCS #11 Module].
>> > (Thu Oct 19 10:43:20:755753 2017) [[sssd[p11_child[6320]]]] [do_work]
>> > (0x4000): dll name: [(null)].
>> > (Thu Oct 19 10:43:20:755780 2017) [[sssd[p11_child[6320]]]] [do_work]
>> > (0x4000): common name: [p11-kit-trust].
>> > (Thu Oct 19 10:43:20:755864 2017) [[sssd[p11_child[6320]]]] [do_work]
>> > (0x4000): dll name: [/usr/lib64/pkcs11/p11-kit-trust.so].
>> > (Thu Oct 19 10:43:20:755900 2017) [[sssd[p11_child[6320]]]] [do_work]
>> > (0x4000): common name: [OpenSC PKCS #11 Module].
>> > (Thu Oct 19 10:43:20:755958 2017) [[sssd[p11_child[6320]]]] [do_work]
>> > (0x4000): dll name: [/usr/lib64/pkcs11/opensc-pkcs11.so].
>> > (Thu Oct 19 10:43:20:755992 2017) [[sssd[p11_child[6320]]]] [do_work]
>> > (0x4000): Dead Module List:
>> > (Thu Oct 19 10:43:20:756025 2017) [[sssd[p11_child[6320]]]] [do_work]
>> > (0x4000): DB Module List:
>> > (Thu Oct 19 10:43:20:756057 2017) [[sssd[p11_child[6320]]]] [do_work]
>> > (0x4000): common name: [NSS Internal Module].
>> > (Thu Oct 19 10:43:20:756085 2017) [[sssd[p11_child[6320]]]] [do_work]
>> > (0x4000): dll name: [(null)].
>> > (Thu Oct 19 10:43:20:756112 2017) [[sssd[p11_child[6320]]]] [do_work]
>> > (0x4000): common name: [Policy File].
>> > (Thu Oct 19 10:43:20:756140 2017) [[sssd[p11_child[6320]]]] [do_work]
>> > (0x4000): dll name: [(null)].
>> > (Thu Oct 19 10:43:20:771873 2017) [[sssd[p11_child[6320]]]] [do_work]
>> > (0x4000): Description [NSS User Private Key and Certificate Services
>> > Mozilla Foundation ] Manufacturer [Mozilla
>> > Foundation ] flags [1].
>> > (Thu Oct 19 10:43:20:771969 2017) [[sssd[p11_child[6320]]]] [do_work]
>> > (0x4000): Description [NSS Internal Cryptographic Services
>> > Mozilla Foundation ] Manufacturer [Mozilla
>> > Foundation ] flags [1].
>> > (Thu Oct 19 10:43:20:772007 2017) [[sssd[p11_child[6320]]]] [do_work]
>> > (0x4000): Description [/usr/share/pki/ca-trust-source
>> > PKCS#11 Kit ] Manufacturer [PKCS#11
>> Kit
>> > ] flags [1].
>> > (Thu Oct 19 10:43:20:772037 2017) [[sssd[p11_child[6320]]]] [do_work]
>> > (0x4000): Description [/etc/pki/ca-trust/source
>> > PKCS#11 Kit ] Manufacturer [PKCS#11
>> Kit
>> > ] flags [1].
>> > (Thu Oct 19 10:43:20:772245 2017) [[sssd[p11_child[6320]]]] [do_work]
>> > (0x4000): Description [Alcor Micro AU9540 00 00
>> > Generic ] Manufacturer [Generic
>> > ] flags [7].
>> > (Thu Oct 19 10:43:20:772290 2017) [[sssd[p11_child[6320]]]] [do_work]
>> > (0x4000): Found [identification (Instant EID IP9)] in slot [Alcor Micro
>> > AU9540 00 00][0] of module [3][/usr/lib64/pkcs11/opensc-pkcs11.so].
>> > (Thu Oct 19 10:43:20:772320 2017) [[sssd[p11_child[6320]]]] [do_work]
>> > (0x4000): Token is NOT friendly.
>> > (Thu Oct 19 10:43:20:772346 2017) [[sssd[p11_child[6320]]]] [do_work]
>> > (0x4000): Trying to switch to friendly to read certificate.
>> > (Thu Oct 19 10:43:20:772372 2017) [[sssd[p11_child[6320]]]] [do_work]
>> > (0x4000): Login required.
>> > (Thu Oct 19 10:43:20:772397 2017) [[sssd[p11_child[6320]]]] [do_work]
>> > (0x0020): Login required but no pin available, continue.
>> > (Thu Oct 19 10:43:20:773994 2017) [[sssd[p11_child[6320]]]] [do_work]
>> > (0x4000): found cert[identification (Instant EID
>> > IP9):user1][CN=user1,OU=People,DC=ad,DC=example,DC=com]
>> > (Thu Oct 19 10:43:20:774071 2017) [[sssd[p11_child[6320]]]] [do_work]
>> > (0x4000): Filtered certificates:
>> > (Thu Oct 19 10:43:20:774167 2017) [[sssd[p11_child[6320]]]] [do_work]
>> > (0x4000): found cert[identification (Instant EID
>> > IP9):user1][CN=user1,OU=People,DC=ad,DC=example,DC=com]
>> > (Thu Oct 19 10:43:20:804677 2017) [[sssd[p11_child[6320]]]] [do_work]
>> > (0x0040): Certificate [identification (Instant EID
>> > IP9):user1][CN=user1,OU=People,DC=ad,DC=example,DC=com] not valid
>> [-8062],
>> > skipping.
>> > (Thu Oct 19 10:43:20:804857 2017) [[sssd[p11_child[6320]]]] [do_work]
>> > (0x4000): No certificate found.
>> >
>> >
>> > What does the error code '-8062' mean?
>>
>> "The signer of the OCSP response is not authorized to give status for
>> this certificate."
>>
>> Please see e.g.
>>
https://www-archive.mozilla.org/projects/security/pki/nss/re
>> f/ssl/sslerr.html
>> for other error codes as well. I will add a text output to the error
>> code in one of the upcoming versions.
>>
>> It looks like the certificate of the OCSP responder cannot be validated.
>> Please add the related CA certificates to /etc/pki/nssdb. As an
>> alternative if you do not want to use OCSP you can disable it by setting
>>
>> certificate_verification = no_ocsp
>>
>> in the [sssd] section of sssd.conf (see man sssd.conf for details)
>>
>> HTH
>>
>> bye,
>> Sumit
>> >
>> > Regards,
>> > Adam
>>
>> > _______________________________________________
>> > sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
>> > To unsubscribe send an email to sssd-users-leave(a)lists.fedorah
>>
osted.org
>> _______________________________________________
>> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
>>
>
>