Hello everyone.
I'm trying to configure smart card login of active directory users on an ubuntu machine. I'm following this guide: https://scriptech.io/linux-enable-smartcard-authentication-against-active-di...
But for me the opensc library cannot talk with my card and I'm using a library that my card provider gave my. My issue right now is that `p11_child --pre --nssdb=/etc/pki/nssdb` fails to pull the certificate from my smart card.
I'm able to log in with AD users and their smart cards using `kinit` and `ksu`, so I know the cards are okay.
What's weird to me is that `modutil -list` shows slot 0 as empty and slot 1 as not empty, and then `p11_child --pre` doesn't try to use slot 1. Maybe p11_child thinks that if slot 0 is empty then slot 1 must be empty too?
Please help!
Here are the relevant logs: ``` # modutil -dbdir nssdb -list
Listing of PKCS #11 Modules ---------------------------------------------------- 1. NSS Internal #11 Module
uri: pkcs11: library-manufacturer=Mozilla%20Foundation; library-description=NSS%20Internal%20Crypto%20Services;library slots: 2 slots attached status: loaded
slot: NSS Internal Cryptographic Services token: NSS Generic Crypto Services uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
slot: NSS User Private Key and Certificate Services token: NSS Certificate DB uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation; serial=0000000000000000;model=NSS%203
2. MyTest
library name: mylib.so uri: pkcs11:library-manufacturer=Boring%20Ent.;library-description=Cryptokit%20Extended%20Version;libversion=5.3 slots: 2 slots attached status: loaded
slot: [EMPTY] token: uri: pkcs11:
slot: Athena ASE IIIe (SBR069-00000) 00 00 token: 918 uri: pkcs11:token=918;manufacturer=Boring%20Ent.;serial=0349B7D30E11024G;model=PKISmartCard%20(A) ```
``` # p11_child --pre --nssdb=nssdb -d=9
[main] (0x0400): p11_child started. [main] (0x2000): Running in [pre-auth] mode. [main] (0x2000): Running with effective IDs: [0][0]. [do_card] (0x4000): Default Module List: [do_card] (0x4000): common name: INSS Internal PKCS #11 [do_card] (0x4000): dll name: [(null)). [do_card] (0x4000): common name: [MyTest] [do_card] (0x4000): dll name: [Libsadaptor.so]. [do_card] (0x4000): Dead Module List: [do_card] (0x4000): DB Module List: [do_card] (ex4000): common name: [NSS Internal Module]. [do_card] (0x4000): dll name: [(null)]. [do_card] (0x4000): Description [NSS Internal Cryptographic Services Mozilla Foundation] Manufacturer [Mozilla Foundation] flags [9] removable [false] token present [true]. [do_card] (0x4000): Description [NSS User Private Key and Certificate Services Mozilla Foundation] Manufacturer [Mozilla Foundation] flags [1] removable [false] token present [true]. [do_card] (0x4000): Description [[EMPTY] Boring Ent.] Manufacturer [Boring Ent.] flags [2] removable [true] token present [false]. [do_card] (0x4000): Token not present. [main] (0x0040): do-work failed. [main] (Ox0020): p11_child failed! ```
Hello,
this looks very similar to a recent thread "Can't login with smartcard" - `libsadaptor.so` (on Ubuntu) again. Can you provide any details about this module? I wasn't able to find anything.
What's weird to me is that `modutil -list` shows slot 0 as empty and slot 1 as not empty, and then `p11_child --pre` doesn't try to use slot 1.
I think you hit a known issue: https://github.com/SSSD/sssd/issues/5025 Could you please check if a work around described in the "Comment from sbose at 2019-08-06 11:09:19" helps?
On Tue, Mar 16, 2021 at 9:39 PM Assaf Morami assaf.morami@gmail.com wrote:
Hello everyone.
I'm trying to configure smart card login of active directory users on an ubuntu machine. I'm following this guide: https://scriptech.io/linux-enable-smartcard-authentication-against-active-di...
But for me the opensc library cannot talk with my card and I'm using a library that my card provider gave my. My issue right now is that `p11_child --pre --nssdb=/etc/pki/nssdb` fails to pull the certificate from my smart card.
I'm able to log in with AD users and their smart cards using `kinit` and `ksu`, so I know the cards are okay.
What's weird to me is that `modutil -list` shows slot 0 as empty and slot 1 as not empty, and then `p11_child --pre` doesn't try to use slot 1. Maybe p11_child thinks that if slot 0 is empty then slot 1 must be empty too?
Please help!
Here are the relevant logs:
# modutil -dbdir nssdb -list Listing of PKCS #11 Modules ---------------------------------------------------- 1. NSS Internal #11 Module uri: pkcs11: library-manufacturer=Mozilla%20Foundation; library-description=NSS%20Internal%20Crypto%20Services;library slots: 2 slots attached status: loaded slot: NSS Internal Cryptographic Services token: NSS Generic Crypto Services uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203 slot: NSS User Private Key and Certificate Services token: NSS Certificate DB uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation; serial=0000000000000000;model=NSS%203 2. MyTest library name: mylib.so uri: pkcs11:library-manufacturer=Boring%20Ent.;library-description=Cryptokit%20Extended%20Version;libversion=5.3 slots: 2 slots attached status: loaded slot: [EMPTY] token: uri: pkcs11: slot: Athena ASE IIIe (SBR069-00000) 00 00 token: 918 uri: pkcs11:token=918;manufacturer=Boring%20Ent.;serial=0349B7D30E11024G;model=PKISmartCard%20(A)
# p11_child --pre --nssdb=nssdb -d=9 [main] (0x0400): p11_child started. [main] (0x2000): Running in [pre-auth] mode. [main] (0x2000): Running with effective IDs: [0][0]. [do_card] (0x4000): Default Module List: [do_card] (0x4000): common name: INSS Internal PKCS #11 [do_card] (0x4000): dll name: [(null)). [do_card] (0x4000): common name: [MyTest] [do_card] (0x4000): dll name: [Libsadaptor.so]. [do_card] (0x4000): Dead Module List: [do_card] (0x4000): DB Module List: [do_card] (ex4000): common name: [NSS Internal Module]. [do_card] (0x4000): dll name: [(null)]. [do_card] (0x4000): Description [NSS Internal Cryptographic Services Mozilla Foundation] Manufacturer [Mozilla Foundation] flags [9] removable [false] token present [true]. [do_card] (0x4000): Description [NSS User Private Key and Certificate Services Mozilla Foundation] Manufacturer [Mozilla Foundation] flags [1] removable [false] token present [true]. [do_card] (0x4000): Description [[EMPTY] Boring Ent.] Manufacturer [Boring Ent.] flags [2] removable [true] token present [false]. [do_card] (0x4000): Token not present. [main] (0x0040): do-work failed. [main] (Ox0020): p11_child failed!
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
I don't really know much about it. I think it's a library by Motorola that was given to my employer.
Am I correct about the 1st empty slot makes it not continue to check the 2nd slot? Is it solvable with -rawadd maybe, or does it mandates a code change to the p11_child binary?
Alexey thanks for the reference! I'll make sure to try it. 🚀
BTW, I think this behavior is caused by this sequence of 3 conditions: https://github.com/SSSD/sssd/blob/c7733c44411aadc45dd3f209551a78c2609fa9a3/s...
The code doesn't hit `continue` in the first condition because we don't see the `"Not matching URI [%s], skipping.\n"` string in the log above. It's not relevant, but I'm not sure if `uri` is NUL here. I think it gets its value from here because I don't pass `--uri` option in the CLI: https://github.com/SSSD/sssd/blob/c7733c44411aadc45dd3f209551a78c2609fa9a3/s....
It also doesn't enter the second condition because the token isn't present in slot #0.
So then we get to the third condition, and it is a removable device, so we hit `break` and never go over slot #1.
For future wanderers, this PR fixes the issue: https://github.com/SSSD/sssd/pull/5705 And this patch fixes the issue on older versions that still support NSS: https://github.com/SSSD/sssd/pull/5705#issuecomment-880421092
sssd-users@lists.fedorahosted.org