Hello for all.
I have CentOS 7.6 with last updates. After using realmd authetification AD users with
password works well.
I try to use smartcards to authetificate users from AD at the linux machines.
After a lot of googling I can use PKINIT to take kerberos tickets for a user by using a
smartcard and a pincode. this is my krb5.conf:
# cat /etc/krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_ccache_name = KEYRING:persistent:%{uid}
default_realm = "Domain"
pkinit_anchors = FILE:/etc/pki/nssdb/ca.cer
pkinit_identities = PKCS11:/usr/lib64/libeTPkcs11.so
pkinit_eku_checking = kpServerAuth
pkinit_kdc_hostname = "Domain controller1"
pkinit_kdc_hostname = "Domain controller2"
pkinit_kdc_hostname = "Domain controller3"
canonicalize = True
[realms]
"Domain" {
kdc = "Domain controller1"
kdc = "Domain controller2"
kdc = "Domain controller3"
admin_server = "Domain controller1"
default_domain = "Domain"
}
[domain_realm]
domain = DOMAIN
.domain = DOMAIN
I put this article inside sssd.conf:
[pam]
pam_cert_auth = true
i think that next step will be a configure pam.d files. but at this step a met some
problems.
maybe somebody can send me working files from pam.d?
What the next step to make authetification for Gnome Destop on CentOS 7.6?
ps. "authconfig --enablesssd --enablesssdauth --enablesmartcard
--smartcardmodule=sssd --smartcardaction=1 --updateall" don't work well for me