Hello,
I would like to implement smartcard authentication to Microsoft AD with sssd on Ubuntu 20.04 LTS. I am able to login to AD with a password but when I try to use a smartcard, after a minute of timeout the password window pops up and even if I put the correct password, I get the following error : "Authentication failure". When I used kinit using a smartcard with the same user the action succeed and I got TGT.
I would appreciate your help on this subject. I have attached the configuration files : krb5.conf ,sssd.conf and the log file : krb5_child.log
Thank you, Rudi
##################################### krb5.conf #####################################
[logging] default = FILE:/var/log/krb5libs.log
[libdefaults] default_realm = DOMAIN.TEST # dns_lookup_realm = true # dns_lookup_kdc = true ticket_lifetime = 24h # renew_lifetime = 7d # forwardable = true # rdns = false
pkinit_kdc_hostname = DC.DOMAIN.TEST # pkinit_allow_upn = true pkinit_anchors = DIR:/etc/rootcas/ pkinit_pool = DIR:/etc/rootcas/ pkinit_identities = PKCS11:/lib/libsadaptor.so default_ccache_name = KEYRING:persistent:%{uid} canonicalize = true
# The following krb5.conf variables are only for MIT Kerberos. # kdc_timesync = 1 # ccache_type = 4
# proxiable = true
# The following encryption type specification will be used by MIT Kerberos # if uncommented. In general, the defaults in the MIT Kerberos code are # correct and overriding these specifications only serves to disable new # encryption types as they are added, creating interoperability problems. # # The only time when you might need to uncomment these lines and change # the enctypes is if you have local software that will break on ticket # caches containing ticket encryption types it doesn't know about (such as # old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1 # default_tkt_enctypes = des3-hmac-sha1 # permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos. fcc-mit-ticketflags = true
[realms]
ATHENA.MIT.EDU = { kdc = kerberos.mit.edu kdc = kerberos-1.mit.edu kdc = kerberos-2.mit.edu:88 admin_server = kerberos.mit.edu default_domain = mit.edu } ZONE.MIT.EDU = { kdc = casio.mit.edu kdc = seiko.mit.edu admin_server = casio.mit.edu } CSAIL.MIT.EDU = { admin_server = kerberos.csail.mit.edu default_domain = csail.mit.edu } IHTFP.ORG = { kdc = kerberos.ihtfp.org admin_server = kerberos.ihtfp.org } 1TS.ORG = { kdc = kerberos.1ts.org admin_server = kerberos.1ts.org } ANDREW.CMU.EDU = { admin_server = kerberos.andrew.cmu.edu default_domain = andrew.cmu.edu } CS.CMU.EDU = { kdc = kerberos-1.srv.cs.cmu.edu kdc = kerberos-2.srv.cs.cmu.edu kdc = kerberos-3.srv.cs.cmu.edu admin_server = kerberos.cs.cmu.edu } DEMENTIA.ORG = { kdc = kerberos.dementix.org kdc = kerberos2.dementix.org admin_server = kerberos.dementix.org } stanford.edu = { kdc = krb5auth1.stanford.edu kdc = krb5auth2.stanford.edu kdc = krb5auth3.stanford.edu master_kdc = krb5auth1.stanford.edu admin_server = krb5-admin.stanford.edu default_domain = stanford.edu } UTORONTO.CA = { kdc = kerberos1.utoronto.ca kdc = kerberos2.utoronto.ca kdc = kerberos3.utoronto.ca admin_server = kerberos1.utoronto.ca default_domain = utoronto.ca }
[domain_realm] .mit.edu = ATHENA.MIT.EDU mit.edu = ATHENA.MIT.EDU .media.mit.edu = MEDIA-LAB.MIT.EDU media.mit.edu = MEDIA-LAB.MIT.EDU .csail.mit.edu = CSAIL.MIT.EDU csail.mit.edu = CSAIL.MIT.EDU .whoi.edu = ATHENA.MIT.EDU whoi.edu = ATHENA.MIT.EDU .stanford.edu = stanford.edu .slac.stanford.edu = SLAC.STANFORD.EDU .toronto.edu = UTORONTO.CA .utoronto.ca = UTORONTO.CA
###################### sssd.conf ###################### [sssd] domains = domain.test config_file_version = 2 services = nss, pam debug_level = 10
[domain/domain.test]
debug_level = 10 # ad_domain = domain.test krb5_realm = DOMAIN.TEST realmd_tags = manages-system joined-with-adcli access_provider = ad auth_provider = ad id_provider = ad ldap_id_mapping = True # # cache_credentials = True # krb5_store_password_if_offline = True # use_fully_qualified_names = False default_shell = /bin/bash fallback_homedir = /home/%u@%d
[pam] debug_level = 10 pam_cert_auth = True
####################### krb5-child.log #######################
Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [main] (0x0400): krb5_child started. (Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [unpack_buffer] (0x1000): total buffer size: [152] (Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [unpack_buffer] (0x0100): cmd [249] uid [270401103] gid [270400513] validate [true] enterprise principal [true] offline [false] UPN [test_user@DOMAIN.TEST] (Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [unpack_buffer] (0x0100): ccname: [KEYRING:persistent:270401103] old_ccname: [KEYRING:persistent:270401103] keytab: [/etc/krb5.keytab] (Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [check_use_fast] (0x0100): Not using FAST. (Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [become_user] (0x0200): Trying to become user [270401103][270400513]. (Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [main] (0x2000): Running as [270401103][270400513]. (Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [set_lifetime_options] (0x0100): No specific renewable lifetime requested. (Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [set_lifetime_options] (0x0100): No specific lifetime requested. (Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [set_canonicalize_option] (0x0100): Canonicalization is set to [true] (Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [main] (0x0400): Will perform pre-auth (Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [tgt_req_child] (0x1000): Attempting to get a TGT (Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [DOMAIN.TEST] (Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [sss_child_krb5_trace_cb] (0x4000): [75227] 1610984653.874510: Getting initial credentials for test_user@DOMAIN.TEST@DOMAIN.TEST
(Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [sss_child_krb5_trace_cb] (0x4000): [75227] 1610984653.874512: Sending unauthenticated request
(Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [sss_child_krb5_trace_cb] (0x4000): [75227] 1610984653.874513: Sending request (229 bytes) to DOMAIN.TEST
(Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [sss_child_krb5_trace_cb] (0x4000): [75227] 1610984653.874514: Sending initial UDP request to dgram 10.0.0.3:88
(Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [sss_child_krb5_trace_cb] (0x4000): [75227] 1610984653.874515: Received answer (197 bytes) from dgram 10.0.0.3:88
(Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [sss_child_krb5_trace_cb] (0x4000): [75227] 1610984653.874516: Response was from master KDC
(Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [sss_child_krb5_trace_cb] (0x4000): [75227] 1610984653.874517: Received error from KDC: -1765328359/Additional pre-authentication required
(Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [sss_child_krb5_trace_cb] (0x4000): [75227] 1610984653.874520: Preauthenticating using KDC method data
(Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [sss_child_krb5_trace_cb] (0x4000): [75227] 1610984653.874521: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-ETYPE-INFO2 (19), PA-ENC-TIMESTAMP (2)
(Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [sss_child_krb5_trace_cb] (0x4000): [75227] 1610984653.874522: Selected etype info: etype aes256-cts, salt "DOMAIN.TESTtest_user", params ""
(Mon Jan 18 17:44:15 2021) [[sssd[krb5_child[75227]]]] [sss_krb5_responder] (0x4000): Got question [pkinit]. (Mon Jan 18 17:44:15 2021) [[sssd[krb5_child[75227]]]] [answer_pkinit] (0x4000): [0] Identity [PKCS11:module_name=/lib/libsadaptor.so:slotid=2:token=Crypto Token] flags [0]. (Mon Jan 18 17:44:15 2021) [[sssd[krb5_child[75227]]]] [answer_pkinit] (0x4000): Setting pkinit_prompting. (Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [sss_krb5_prompter] (0x4000): sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL. (Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [sss_krb5_prompter] (0x4000): Prompt [0][Crypto Token PIN]. (Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [sss_krb5_prompter] (0x0020): Cannot handle password prompts. (Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [sss_child_krb5_trace_cb] (0x4000): [75227] 1610984656.291326: PKINIT client has no configured identity; giving up
(Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [sss_child_krb5_trace_cb] (0x4000): [75227] 1610984656.291327: Preauth module pkinit (16) (real) returned: -1765328360/Preauthentication failed
(Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [sss_child_krb5_trace_cb] (0x4000): [75227] 1610984656.291328: PKINIT client ignoring draft 9 offer from RFC 4556 KDC
(Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [sss_child_krb5_trace_cb] (0x4000): [75227] 1610984656.291329: Preauth module pkinit (15) (real) returned: -1765328360/Preauthentication failed
(Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [sss_krb5_prompter] (0x4000): sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL. (Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [sss_krb5_prompter] (0x4000): Prompt [0][Password for test_user@DOMAIN.TEST@DOMAIN.TEST]. (Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [sss_krb5_prompter] (0x0020): Cannot handle password prompts. (Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [sss_child_krb5_trace_cb] (0x4000): [75227] 1610984656.291330: Preauth module encrypted_timestamp (2) (real) returned: -1765328254/Cannot read password
(Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [sss_krb5_get_init_creds_password] (0x0020): 1627: [-1765328174][Pre-authentication failed: Preauthentication failed] (Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [get_and_save_tgt] (0x0400): krb5_get_init_creds_password returned [-1765328174] during pre-auth. (Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [k5c_send_data] (0x0200): Received error code 0 (Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [pack_response_packet] (0x2000): response packet size: [12] (Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [k5c_send_data] (0x4000): Response sent. (Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [main] (0x0400): krb5_child completed successfully