[Freeipa-users] RHEL 6.9 AD Smart Card login

Sumit Bose sbose at redhat.com
Fri Apr 7 08:35:12 UTC 2017 

On Thu, Apr 06, 2017 at 06:36:43PM +0000, spammewoods at cox.net wrote:
> I have created a two way trust between my IDM server and Active Directory.
> I have been able to successful get RHEL 7.3 IDM server and RHEL 7.3 IDM
> clients to allow Active Directory login using CAC smart cards into Gnome.
> I'm using SSSD for the smart card login process instead of authconfig and
> pkcs11.   I'm currently trying to get the same thing working for RHEL 6.9,
> but I have not been able to get it to work. The latest version of SSSD on
> RHEL 6.9 is 1.13.3 and from my understanding I need to have at least 1.14.0
> for SSSD to handle AD smart card logins.    So,  I have tried to configure

The Smartcard authentication feature was backported to RHEL-6.9.

Please note that the GDM Smartcard feature must be configured
differently in RHEL6 then in RHEL7, details for RHEL-6.9 can e.g. found
in https://bugzilla.redhat.com/show_bug.cgi?id=1300421#c13

HTH

bye,
Sumit

> pam_pkcs11.conf file to use the pwent mapper to link the Common Name (CN) to
> the Active Directory User account.   I have created an User ID Override for
> the AD user and  added CN name from the Certificate on the smart card into
> the GECOS field.   I also have added all three certificates from the CAC
> smart card into the User ID Override.
> 
> When I try and log in,  I get this error message in /var/log/secure:
> Apr  6 13:21:57 site-lws05 pam: gdm-smartcard:
> pam_pkcs11(gdm-smartcard:auth): pam_get_pwd() failed: Conversation error
> Apr  6 13:22:17 site-lws05 pam: gdm-smartcard:
> pam_pkcs11(gdm-smartcard:auth): find_user() failed:  on cert #1
> Apr  6 13:22:17 site-lws05 pam: gdm-smartcard:
> pam_pkcs11(gdm-smartcard:auth): find_user() failed:  on cert #2
> Apr  6 13:22:17 site-lws05 pam: gdm-smartcard:
> pam_pkcs11(gdm-smartcard:auth): no valid certificate which meets all
> requirements found
> 
> Here is the some details:
> IDM Domain: idm.domain.local
> Windows Domain: domain.local
> RHEL 7.3 IDM Server: site-idm01.idm.domain.local
> RHEL 6.9 IDM Client : site-lws05.idm.domain.local
> 
> When I run the getent command on local accounts and IDM accounts I get user
> details,  but when I run the command on AD accounts it doesn't find them.
> So,  I'm wondering if that's why its not finding the CN name in the GECOS
> field.    I'm trying to avoid using the cn_map on the clients, because we
> have a large amount of users and thats alot of extra work to manage that
> file.    That's why I wanted to use the pwent mapper.
> Here is my SSSD config file from the RHEL 6.9 client:
> [domain/idm.domain.local]
> override_shell = /bin/bash
> debug_level = 9
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = idm.domain.local
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = site-lws05.idm.domain.local
> chpass_provider = ipa
> ipa_server = _srv_, site-idm01.idm.domain.local
> ldap_tls_cacert = /etc/ipa/ca.crt
> [sssd]
> debug_level = 9
> services = nss, sudo, pam, ssh, ifp
> domains = idm.domain.local
> certificate_verification = no_ocsp
> ldap_user_certificate = userCertificate;binary
> [nss]
> debug_level = 9
> homedir_substring = /home
> [pam]
> debug_level = 9
> pam_cert_auth = True
> [sudo]
> debug_level = 9
> [autofs]
> debug_level = 9
> [ssh]
> debug_level = 9
> [pac]
> debug_level = 9
> [ifp]
> debug_level = 9
> 
> Here is my nssswitch file from the RHEL 6.9 client:
> # /etc/nsswitch.conf
> #
> # An example Name Service Switch config file. This file should be
> # sorted with the most-used services at the beginning.
> #
> # The entry '[NOTFOUND=return]' means that the search for an
> # entry should stop if the search in the previous entry turned
> # up nothing. Note that if the search failed due to some other reason
> # (like no NIS server responding) then the search continues with the
> # next entry.
> #
> # Valid entries include:
> #
> #       nisplus                 Use NIS+ (NIS version 3)
> #       nis                     Use NIS (NIS version 2), also called YP
> #       dns                     Use DNS (Domain Name Service)
> #       files                   Use the local files
> #       db                      Use the local database (.db) files
> #       compat                  Use NIS on compat mode
> #       hesiod                  Use Hesiod for user lookups
> #       [NOTFOUND=return]       Stop searching if not found so far
> #
> # To use db, put the "db" in front of "files" for entries you want to be
> # looked up first in the databases
> #
> # Example:
> #passwd:    db files nisplus nis
> #shadow:    db files nisplus nis
> #group:     db files nisplus nis
> passwd:     files sss
> shadow:     files sss
> group:      files sss
> #hosts:     db files nisplus nis dns
> hosts:      files dns
> # Example - obey only what nisplus tells us...
> #services:   nisplus [NOTFOUND=return] files
> #networks:   nisplus [NOTFOUND=return] files
> #protocols:  nisplus [NOTFOUND=return] files
> #rpc:        nisplus [NOTFOUND=return] files
> #ethers:     nisplus [NOTFOUND=return] files
> #netmasks:   nisplus [NOTFOUND=return] files
> bootparams: nisplus [NOTFOUND=return] files
> ethers:     files
> netmasks:   files
> networks:   files
> protocols:  files
> rpc:        files
> services:   files sss
> netgroup:   files sss
> publickey:  nisplus
> automount:  files sss
> aliases:    files nisplus
> sudoers: files sss
> 
> Here is my system-auth from the RHEL 6.9 client:
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth        required      pam_env.so
> auth        [success=1 default=ignore] pam_succeed_if.so service notin
> login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid
> auth        [success=done authinfo_unavail=ignore ignore=ignore default=die]
> pam_pkcs11.so card_only
> auth        sufficient    pam_fprintd.so
> auth        sufficient    pam_unix.so nullok try_first_pass
> auth        requisite     pam_succeed_if.so uid >= 500 quiet
> auth        sufficient    pam_sss.so use_first_pass
> auth        required      pam_deny.so
> account     required      pam_unix.so
> account     sufficient    pam_localuser.so
> account     sufficient    pam_succeed_if.so uid < 500 quiet
> account     [default=bad success=ok user_unknown=ignore] pam_sss.so
> account     required      pam_permit.so
> password    requisite     pam_cracklib.so try_first_pass retry=3 type=
> password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass
> use_authtok
> password    sufficient    pam_sss.so use_authtok
> password    required      pam_deny.so
> session     optional      pam_keyinit.so revoke
> session     required      pam_limits.so
> session     optional      pam_oddjob_mkhomedir.so umask=0077
> session     [success=1 default=ignore] pam_succeed_if.so service in crond
> quiet use_uid
> session     required      pam_unix.so
> session     optional      pam_sss.so
> 
> Here is my password-auth from the RHEL 6.9 client:
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth        required      pam_env.so
> auth        sufficient    pam_unix.so nullok try_first_pass
> auth        requisite     pam_succeed_if.so uid >= 500 quiet
> auth        sufficient    pam_sss.so use_first_pass
> auth        required      pam_deny.so
> account     required      pam_unix.so
> account     sufficient    pam_localuser.so
> account     sufficient    pam_succeed_if.so uid < 500 quiet
> account     [default=bad success=ok user_unknown=ignore] pam_sss.so
> account     required      pam_permit.so
> password    requisite     pam_cracklib.so try_first_pass retry=3 type=
> password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass
> use_authtok
> password    sufficient    pam_sss.so use_authtok
> password    required      pam_deny.so
> session     optional      pam_keyinit.so revoke
> session     required      pam_limits.so
> session     optional      pam_oddjob_mkhomedir.so umask=0077
> session     [success=1 default=ignore] pam_succeed_if.so service in crond
> quiet use_uid
> session     required      pam_unix.so
> session     optional      pam_sss.so
> 
> Here is my smartcard-auth from the RHEL 6.9 client:
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth        required      pam_env.so
> auth        [success=done ignore=ignore default=die] pam_pkcs11.so
> wait_for_card card_only
> auth        required      pam_deny.so
> account     required      pam_unix.so
> account     sufficient    pam_localuser.so
> account     sufficient    pam_succeed_if.so uid < 500 quiet
> account     [default=bad success=ok user_unknown=ignore] pam_sss.so
> account     required      pam_permit.so
> password    required      pam_pkcs11.so
> session     optional      pam_keyinit.so revoke
> session     required      pam_limits.so
> session     optional      pam_oddjob_mkhomedir.so umask=0077
> session     [success=1 default=ignore] pam_succeed_if.so service in crond
> quiet use_uid
> session     required      pam_unix.so
> session     optional      pam_sss.so
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list