On Mon, May 18, 2020 at 02:09:38PM -0000, Gunnar Hilling wrote:
I'm trying to set up smart card authentication using sssd with user's info stored
in active directory.
The setup is already working but the authentication is only locally. As I understand it
should be possible to acquire a kerberos ticket during authentication?
Is there a working example for such a setup?
I'm not really sure how krb5.conf should actually be configured...
'pkinit_anchor' is most important and should point the CA certificate
bundles in PAM format which contain all needed certificates to validate
the user certificate and the AD DC certificate. Typically the CA
certificate for the latter is the CA certificate of the AD Certificate
With AD I would suggest to start with 'pkinit_eku_checking = none' and
'pkinit_kdc_hostname' should be added multiple times with the
fully-qualified name of every AD DC you are expecting a reply from.
If you set 'debug_level = 9' in the [domain/...] section of sssd.conf
the krb5_child.log file will contain some tracing information which
might tell you where PKINIT got stuck.
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines