Hello,
this looks very similar to a recent thread "Can't login with
smartcard" - `libsadaptor.so` (on Ubuntu) again.
Can you provide any details about this module? I wasn't able to find anything.
What's weird to me is that `modutil -list` shows slot 0 as empty
and slot 1 as not empty, and then `p11_child --pre` doesn't try to use slot 1.
I think you hit a known issue:
https://github.com/SSSD/sssd/issues/5025
Could you please check if a work around described in the "Comment from
sbose at 2019-08-06 11:09:19" helps?
On Tue, Mar 16, 2021 at 9:39 PM Assaf Morami <assaf.morami(a)gmail.com> wrote:
Hello everyone.
I'm trying to configure smart card login of active directory users on an ubuntu
machine.
I'm following this guide:
https://scriptech.io/linux-enable-smartcard-authentication-against-active...
But for me the opensc library cannot talk with my card and I'm using a library that
my card provider gave my. My issue right now is that `p11_child --pre
--nssdb=/etc/pki/nssdb` fails to pull the certificate from my smart card.
I'm able to log in with AD users and their smart cards using `kinit` and `ksu`, so I
know the cards are okay.
What's weird to me is that `modutil -list` shows slot 0 as empty and slot 1 as not
empty, and then `p11_child --pre` doesn't try to use slot 1. Maybe p11_child thinks
that if slot 0 is empty then slot 1 must be empty too?
Please help!
Here are the relevant logs:
```
# modutil -dbdir nssdb -list
Listing of PKCS #11 Modules
----------------------------------------------------
1. NSS Internal #11 Module
uri: pkcs11: library-manufacturer=Mozilla%20Foundation;
library-description=NSS%20Internal%20Crypto%20Services;library
slots: 2 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
uri:
pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;
serial=0000000000000000;model=NSS%203
2. MyTest
library name: mylib.so
uri:
pkcs11:library-manufacturer=Boring%20Ent.;library-description=Cryptokit%20Extended%20Version;libversion=5.3
slots: 2 slots attached
status: loaded
slot: [EMPTY]
token:
uri: pkcs11:
slot: Athena ASE IIIe (SBR069-00000) 00 00
token: 918
uri:
pkcs11:token=918;manufacturer=Boring%20Ent.;serial=0349B7D30E11024G;model=PKISmartCard%20(A)
```
```
# p11_child --pre --nssdb=nssdb -d=9
[main] (0x0400): p11_child started.
[main] (0x2000): Running in [pre-auth] mode.
[main] (0x2000): Running with effective IDs: [0][0].
[do_card] (0x4000): Default Module List:
[do_card] (0x4000): common name: INSS Internal PKCS #11
[do_card] (0x4000): dll name: [(null)).
[do_card] (0x4000): common name: [MyTest]
[do_card] (0x4000): dll name: [Libsadaptor.so].
[do_card] (0x4000): Dead Module List:
[do_card] (0x4000): DB Module List:
[do_card] (ex4000): common name: [NSS Internal Module].
[do_card] (0x4000): dll name: [(null)].
[do_card] (0x4000): Description [NSS Internal Cryptographic Services Mozilla Foundation]
Manufacturer [Mozilla Foundation] flags [9] removable [false] token present [true].
[do_card] (0x4000): Description [NSS User Private Key and Certificate Services Mozilla
Foundation] Manufacturer [Mozilla Foundation] flags [1] removable [false] token present
[true].
[do_card] (0x4000): Description [[EMPTY] Boring Ent.] Manufacturer [Boring Ent.] flags
[2] removable [true] token present [false].
[do_card] (0x4000): Token not present.
[main] (0x0040): do-work failed.
[main] (Ox0020): p11_child failed!
```
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure