[Freeipa-users] RHEL 6.9 AD Smart Card login
spammewoods at cox.net
spammewoods at cox.net
Thu Apr 6 18:36:43 UTC 2017
I have created a two way trust between my IDM server and Active
Directory. I have been able to successful get RHEL 7.3 IDM server and
RHEL 7.3 IDM clients to allow Active Directory login using CAC smart
cards into Gnome. I'm using SSSD for the smart card login process
instead of authconfig and pkcs11. I'm currently trying to get the same
thing working for RHEL 6.9, but I have not been able to get it to work.
The latest version of SSSD on RHEL 6.9 is 1.13.3 and from my
understanding I need to have at least 1.14.0 for SSSD to handle AD smart
card logins. So, I have tried to configure pam_pkcs11.conf file to
use the pwent mapper to link the Common Name (CN) to the Active
Directory User account. I have created an User ID Override for the AD
user and added CN name from the Certificate on the smart card into the
GECOS field. I also have added all three certificates from the CAC
smart card into the User ID Override.
When I try and log in, I get this error message in /var/log/secure:
Apr 6 13:21:57 site-lws05 pam: gdm-smartcard:
pam_pkcs11(gdm-smartcard:auth): pam_get_pwd() failed: Conversation error
Apr 6 13:22:17 site-lws05 pam: gdm-smartcard:
pam_pkcs11(gdm-smartcard:auth): find_user() failed: on cert #1
Apr 6 13:22:17 site-lws05 pam: gdm-smartcard:
pam_pkcs11(gdm-smartcard:auth): find_user() failed: on cert #2
Apr 6 13:22:17 site-lws05 pam: gdm-smartcard:
pam_pkcs11(gdm-smartcard:auth): no valid certificate which meets all
requirements found
Here is the some details:
IDM Domain: idm.domain.local
Windows Domain: domain.local
RHEL 7.3 IDM Server: site-idm01.idm.domain.local
RHEL 6.9 IDM Client : site-lws05.idm.domain.local
When I run the getent command on local accounts and IDM accounts I get
user details, but when I run the command on AD accounts it doesn't find
them. So, I'm wondering if that's why its not finding the CN name in
the GECOS field. I'm trying to avoid using the cn_map on the clients,
because we have a large amount of users and thats alot of extra work to
manage that file. That's why I wanted to use the pwent mapper.
Here is my SSSD config file from the RHEL 6.9 client:
[domain/idm.domain.local]
override_shell = /bin/bash
debug_level = 9
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = idm.domain.local
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = site-lws05.idm.domain.local
chpass_provider = ipa
ipa_server = _srv_, site-idm01.idm.domain.local
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
debug_level = 9
services = nss, sudo, pam, ssh, ifp
domains = idm.domain.local
certificate_verification = no_ocsp
ldap_user_certificate = userCertificate;binary
[nss]
debug_level = 9
homedir_substring = /home
[pam]
debug_level = 9
pam_cert_auth = True
[sudo]
debug_level = 9
[autofs]
debug_level = 9
[ssh]
debug_level = 9
[pac]
debug_level = 9
[ifp]
debug_level = 9
Here is my nssswitch file from the RHEL 6.9 client:
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Valid entries include:
#
# nisplus Use NIS+ (NIS version 3)
# nis Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the local database (.db) files
# compat Use NIS on compat mode
# hesiod Use Hesiod for user lookups
# [NOTFOUND=return] Stop searching if not found so far
#
# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd: db files nisplus nis
#shadow: db files nisplus nis
#group: db files nisplus nis
passwd: files sss
shadow: files sss
group: files sss
#hosts: db files nisplus nis dns
hosts: files dns
# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files sss
netgroup: files sss
publickey: nisplus
automount: files sss
aliases: files nisplus
sudoers: files sss
Here is my system-auth from the RHEL 6.9 client:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth [success=1 default=ignore] pam_succeed_if.so service notin
login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet
use_uid
auth [success=done authinfo_unavail=ignore ignore=ignore
default=die] pam_pkcs11.so card_only
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok
try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
Here is my password-auth from the RHEL 6.9 client:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok
try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
Here is my smartcard-auth from the RHEL 6.9 client:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth [success=done ignore=ignore default=die] pam_pkcs11.so
wait_for_card card_only
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password required pam_pkcs11.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
More information about the Freeipa-users
mailing list