Thanks a bunch, disabling oscp verification works (and to test with p11_child you can set the parameter '--verify=no_ocsp'). 

So, now I can see in debug logs that sssd finds my smartcard certificate but now it fails trying to verify it against the provider (AD). So what are the requirements for this to work on 7.4? This page:

http://rhelblog.redhat.com/2017/09/26/smart-card-support-in-red-hat-enterprise-linux/

implies that it is not longer necessary to store the entire certificate for the user in AD. It instead mentions a 'special attribute' but there is no detailed information about it there. Is there any more documentation about this?

Thanks, 
Adam


2017-10-19 11:19 GMT+02:00 Sumit Bose <sbose@redhat.com>:
On Thu, Oct 19, 2017 at 10:57:13AM +0200, Winberg, Adam wrote:
> I'm trying to get smartcard auth working with sssd on RHEL 7.4. We
> currently use a pam_pkcs11/pam_krb5 setup and I was hoping to simplify this
> by using sssd instead. Unfortunately I cant get it to work, sssd does not
> seem to detect my smartcard certificate.
>
> Running p11_child I get the following:
>
> $ /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2
> --nssdb=/etc/pki/nssdb --pin
> (Thu Oct 19 10:43:19:786759 2017) [[sssd[p11_child[6320]]]] [main]
> (0x0400): p11_child started.
> (Thu Oct 19 10:43:19:786836 2017) [[sssd[p11_child[6320]]]] [main]
> (0x2000): Running in [pre-auth] mode.
> (Thu Oct 19 10:43:19:786849 2017) [[sssd[p11_child[6320]]]] [main]
> (0x2000): Running with effective IDs: [0][0].
> (Thu Oct 19 10:43:19:786859 2017) [[sssd[p11_child[6320]]]] [main]
> (0x2000): Running with real IDs [0][0].
> (Thu Oct 19 10:43:20:755639 2017) [[sssd[p11_child[6320]]]] [do_work]
> (0x4000): Default Module List:
> (Thu Oct 19 10:43:20:755722 2017) [[sssd[p11_child[6320]]]] [do_work]
> (0x4000): common name: [NSS Internal PKCS #11 Module].
> (Thu Oct 19 10:43:20:755753 2017) [[sssd[p11_child[6320]]]] [do_work]
> (0x4000): dll name: [(null)].
> (Thu Oct 19 10:43:20:755780 2017) [[sssd[p11_child[6320]]]] [do_work]
> (0x4000): common name: [p11-kit-trust].
> (Thu Oct 19 10:43:20:755864 2017) [[sssd[p11_child[6320]]]] [do_work]
> (0x4000): dll name: [/usr/lib64/pkcs11/p11-kit-trust.so].
> (Thu Oct 19 10:43:20:755900 2017) [[sssd[p11_child[6320]]]] [do_work]
> (0x4000): common name: [OpenSC PKCS #11 Module].
> (Thu Oct 19 10:43:20:755958 2017) [[sssd[p11_child[6320]]]] [do_work]
> (0x4000): dll name: [/usr/lib64/pkcs11/opensc-pkcs11.so].
> (Thu Oct 19 10:43:20:755992 2017) [[sssd[p11_child[6320]]]] [do_work]
> (0x4000): Dead Module List:
> (Thu Oct 19 10:43:20:756025 2017) [[sssd[p11_child[6320]]]] [do_work]
> (0x4000): DB Module List:
> (Thu Oct 19 10:43:20:756057 2017) [[sssd[p11_child[6320]]]] [do_work]
> (0x4000): common name: [NSS Internal Module].
> (Thu Oct 19 10:43:20:756085 2017) [[sssd[p11_child[6320]]]] [do_work]
> (0x4000): dll name: [(null)].
> (Thu Oct 19 10:43:20:756112 2017) [[sssd[p11_child[6320]]]] [do_work]
> (0x4000): common name: [Policy File].
> (Thu Oct 19 10:43:20:756140 2017) [[sssd[p11_child[6320]]]] [do_work]
> (0x4000): dll name: [(null)].
> (Thu Oct 19 10:43:20:771873 2017) [[sssd[p11_child[6320]]]] [do_work]
> (0x4000): Description [NSS User Private Key and Certificate Services
>            Mozilla Foundation              ] Manufacturer [Mozilla
> Foundation              ] flags [1].
> (Thu Oct 19 10:43:20:771969 2017) [[sssd[p11_child[6320]]]] [do_work]
> (0x4000): Description [NSS Internal Cryptographic Services
>            Mozilla Foundation              ] Manufacturer [Mozilla
> Foundation              ] flags [1].
> (Thu Oct 19 10:43:20:772007 2017) [[sssd[p11_child[6320]]]] [do_work]
> (0x4000): Description [/usr/share/pki/ca-trust-source
>             PKCS#11 Kit                      ] Manufacturer [PKCS#11 Kit
>                   ] flags [1].
> (Thu Oct 19 10:43:20:772037 2017) [[sssd[p11_child[6320]]]] [do_work]
> (0x4000): Description [/etc/pki/ca-trust/source
>             PKCS#11 Kit                      ] Manufacturer [PKCS#11 Kit
>                   ] flags [1].
> (Thu Oct 19 10:43:20:772245 2017) [[sssd[p11_child[6320]]]] [do_work]
> (0x4000): Description [Alcor Micro AU9540 00 00
>             Generic                         ] Manufacturer [Generic
>                  ] flags [7].
> (Thu Oct 19 10:43:20:772290 2017) [[sssd[p11_child[6320]]]] [do_work]
> (0x4000): Found [identification (Instant EID IP9)] in slot [Alcor Micro
> AU9540 00 00][0] of module [3][/usr/lib64/pkcs11/opensc-pkcs11.so].
> (Thu Oct 19 10:43:20:772320 2017) [[sssd[p11_child[6320]]]] [do_work]
> (0x4000): Token is NOT friendly.
> (Thu Oct 19 10:43:20:772346 2017) [[sssd[p11_child[6320]]]] [do_work]
> (0x4000): Trying to switch to friendly to read certificate.
> (Thu Oct 19 10:43:20:772372 2017) [[sssd[p11_child[6320]]]] [do_work]
> (0x4000): Login required.
> (Thu Oct 19 10:43:20:772397 2017) [[sssd[p11_child[6320]]]] [do_work]
> (0x0020): Login required but no pin available, continue.
> (Thu Oct 19 10:43:20:773994 2017) [[sssd[p11_child[6320]]]] [do_work]
> (0x4000): found cert[identification (Instant EID
> IP9):user1][CN=user1,OU=People,DC=ad,DC=example,DC=com]
> (Thu Oct 19 10:43:20:774071 2017) [[sssd[p11_child[6320]]]] [do_work]
> (0x4000): Filtered certificates:
> (Thu Oct 19 10:43:20:774167 2017) [[sssd[p11_child[6320]]]] [do_work]
> (0x4000): found cert[identification (Instant EID
> IP9):user1][CN=user1,OU=People,DC=ad,DC=example,DC=com]
> (Thu Oct 19 10:43:20:804677 2017) [[sssd[p11_child[6320]]]] [do_work]
> (0x0040): Certificate [identification (Instant EID
> IP9):user1][CN=user1,OU=People,DC=ad,DC=example,DC=com] not valid [-8062],
> skipping.
> (Thu Oct 19 10:43:20:804857 2017) [[sssd[p11_child[6320]]]] [do_work]
> (0x4000): No certificate found.
>
>
> What does the error code '-8062' mean?

"The signer of the OCSP response is not authorized to give status for
this certificate."

Please see e.g.
https://www-archive.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html
for other error codes as well. I will add a text output to the error
code in one of the upcoming versions.

It looks like the certificate of the OCSP responder cannot be validated.
Please add the related CA certificates to /etc/pki/nssdb. As an
alternative if you do not want to use OCSP you can disable it by setting

    certificate_verification = no_ocsp

in the [sssd] section of sssd.conf (see man sssd.conf for details)

HTH

bye,
Sumit
>
> Regards,
> Adam

> _______________________________________________
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org