Eventually I've got a working setup with PKINIT, Smartcard and sssd 1.15.2 in a
Ubuntu/Unity-Environment. However, login fails, if both krb5 kdc and ldap id provider are
offline. Is offline mode for smartcard authentication vs kerberos supposed to work at all
in sssd or are there more requirements to be met than those already mentioned here?
Especially, are there any requirements on the subject dn in the certificate? I am looking
at an error message in the logs that is only there in offline mode:
sssd_pam.log:(Tue Jun 6 15:52:57 2017) [sssd[pam]] [pam_dom_forwarder] (0x0400): User and
certificate user do not match, continue with other authentication methods.
As for Kerberos the subject of the certificate has no meaning, the kerberos principal name
is encoded as an subject alternative name id-pki-san extension. So we did not choose
anything special for the subject name of the certificates.