[Freeipa-users] RHEL 6.9 AD Smart Card login
Sumit Bose
sbose at redhat.com
Fri Apr 7 08:35:12 UTC 2017
On Thu, Apr 06, 2017 at 06:36:43PM +0000, spammewoods at cox.net wrote:
> I have created a two way trust between my IDM server and Active Directory.
> I have been able to successful get RHEL 7.3 IDM server and RHEL 7.3 IDM
> clients to allow Active Directory login using CAC smart cards into Gnome.
> I'm using SSSD for the smart card login process instead of authconfig and
> pkcs11. I'm currently trying to get the same thing working for RHEL 6.9,
> but I have not been able to get it to work. The latest version of SSSD on
> RHEL 6.9 is 1.13.3 and from my understanding I need to have at least 1.14.0
> for SSSD to handle AD smart card logins. So, I have tried to configure
The Smartcard authentication feature was backported to RHEL-6.9.
Please note that the GDM Smartcard feature must be configured
differently in RHEL6 then in RHEL7, details for RHEL-6.9 can e.g. found
in https://bugzilla.redhat.com/show_bug.cgi?id=1300421#c13
HTH
bye,
Sumit
> pam_pkcs11.conf file to use the pwent mapper to link the Common Name (CN) to
> the Active Directory User account. I have created an User ID Override for
> the AD user and added CN name from the Certificate on the smart card into
> the GECOS field. I also have added all three certificates from the CAC
> smart card into the User ID Override.
>
> When I try and log in, I get this error message in /var/log/secure:
> Apr 6 13:21:57 site-lws05 pam: gdm-smartcard:
> pam_pkcs11(gdm-smartcard:auth): pam_get_pwd() failed: Conversation error
> Apr 6 13:22:17 site-lws05 pam: gdm-smartcard:
> pam_pkcs11(gdm-smartcard:auth): find_user() failed: on cert #1
> Apr 6 13:22:17 site-lws05 pam: gdm-smartcard:
> pam_pkcs11(gdm-smartcard:auth): find_user() failed: on cert #2
> Apr 6 13:22:17 site-lws05 pam: gdm-smartcard:
> pam_pkcs11(gdm-smartcard:auth): no valid certificate which meets all
> requirements found
>
> Here is the some details:
> IDM Domain: idm.domain.local
> Windows Domain: domain.local
> RHEL 7.3 IDM Server: site-idm01.idm.domain.local
> RHEL 6.9 IDM Client : site-lws05.idm.domain.local
>
> When I run the getent command on local accounts and IDM accounts I get user
> details, but when I run the command on AD accounts it doesn't find them.
> So, I'm wondering if that's why its not finding the CN name in the GECOS
> field. I'm trying to avoid using the cn_map on the clients, because we
> have a large amount of users and thats alot of extra work to manage that
> file. That's why I wanted to use the pwent mapper.
> Here is my SSSD config file from the RHEL 6.9 client:
> [domain/idm.domain.local]
> override_shell = /bin/bash
> debug_level = 9
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = idm.domain.local
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = site-lws05.idm.domain.local
> chpass_provider = ipa
> ipa_server = _srv_, site-idm01.idm.domain.local
> ldap_tls_cacert = /etc/ipa/ca.crt
> [sssd]
> debug_level = 9
> services = nss, sudo, pam, ssh, ifp
> domains = idm.domain.local
> certificate_verification = no_ocsp
> ldap_user_certificate = userCertificate;binary
> [nss]
> debug_level = 9
> homedir_substring = /home
> [pam]
> debug_level = 9
> pam_cert_auth = True
> [sudo]
> debug_level = 9
> [autofs]
> debug_level = 9
> [ssh]
> debug_level = 9
> [pac]
> debug_level = 9
> [ifp]
> debug_level = 9
>
> Here is my nssswitch file from the RHEL 6.9 client:
> # /etc/nsswitch.conf
> #
> # An example Name Service Switch config file. This file should be
> # sorted with the most-used services at the beginning.
> #
> # The entry '[NOTFOUND=return]' means that the search for an
> # entry should stop if the search in the previous entry turned
> # up nothing. Note that if the search failed due to some other reason
> # (like no NIS server responding) then the search continues with the
> # next entry.
> #
> # Valid entries include:
> #
> # nisplus Use NIS+ (NIS version 3)
> # nis Use NIS (NIS version 2), also called YP
> # dns Use DNS (Domain Name Service)
> # files Use the local files
> # db Use the local database (.db) files
> # compat Use NIS on compat mode
> # hesiod Use Hesiod for user lookups
> # [NOTFOUND=return] Stop searching if not found so far
> #
> # To use db, put the "db" in front of "files" for entries you want to be
> # looked up first in the databases
> #
> # Example:
> #passwd: db files nisplus nis
> #shadow: db files nisplus nis
> #group: db files nisplus nis
> passwd: files sss
> shadow: files sss
> group: files sss
> #hosts: db files nisplus nis dns
> hosts: files dns
> # Example - obey only what nisplus tells us...
> #services: nisplus [NOTFOUND=return] files
> #networks: nisplus [NOTFOUND=return] files
> #protocols: nisplus [NOTFOUND=return] files
> #rpc: nisplus [NOTFOUND=return] files
> #ethers: nisplus [NOTFOUND=return] files
> #netmasks: nisplus [NOTFOUND=return] files
> bootparams: nisplus [NOTFOUND=return] files
> ethers: files
> netmasks: files
> networks: files
> protocols: files
> rpc: files
> services: files sss
> netgroup: files sss
> publickey: nisplus
> automount: files sss
> aliases: files nisplus
> sudoers: files sss
>
> Here is my system-auth from the RHEL 6.9 client:
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth required pam_env.so
> auth [success=1 default=ignore] pam_succeed_if.so service notin
> login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid
> auth [success=done authinfo_unavail=ignore ignore=ignore default=die]
> pam_pkcs11.so card_only
> auth sufficient pam_fprintd.so
> auth sufficient pam_unix.so nullok try_first_pass
> auth requisite pam_succeed_if.so uid >= 500 quiet
> auth sufficient pam_sss.so use_first_pass
> auth required pam_deny.so
> account required pam_unix.so
> account sufficient pam_localuser.so
> account sufficient pam_succeed_if.so uid < 500 quiet
> account [default=bad success=ok user_unknown=ignore] pam_sss.so
> account required pam_permit.so
> password requisite pam_cracklib.so try_first_pass retry=3 type=
> password sufficient pam_unix.so sha512 shadow nullok try_first_pass
> use_authtok
> password sufficient pam_sss.so use_authtok
> password required pam_deny.so
> session optional pam_keyinit.so revoke
> session required pam_limits.so
> session optional pam_oddjob_mkhomedir.so umask=0077
> session [success=1 default=ignore] pam_succeed_if.so service in crond
> quiet use_uid
> session required pam_unix.so
> session optional pam_sss.so
>
> Here is my password-auth from the RHEL 6.9 client:
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth required pam_env.so
> auth sufficient pam_unix.so nullok try_first_pass
> auth requisite pam_succeed_if.so uid >= 500 quiet
> auth sufficient pam_sss.so use_first_pass
> auth required pam_deny.so
> account required pam_unix.so
> account sufficient pam_localuser.so
> account sufficient pam_succeed_if.so uid < 500 quiet
> account [default=bad success=ok user_unknown=ignore] pam_sss.so
> account required pam_permit.so
> password requisite pam_cracklib.so try_first_pass retry=3 type=
> password sufficient pam_unix.so sha512 shadow nullok try_first_pass
> use_authtok
> password sufficient pam_sss.so use_authtok
> password required pam_deny.so
> session optional pam_keyinit.so revoke
> session required pam_limits.so
> session optional pam_oddjob_mkhomedir.so umask=0077
> session [success=1 default=ignore] pam_succeed_if.so service in crond
> quiet use_uid
> session required pam_unix.so
> session optional pam_sss.so
>
> Here is my smartcard-auth from the RHEL 6.9 client:
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth required pam_env.so
> auth [success=done ignore=ignore default=die] pam_pkcs11.so
> wait_for_card card_only
> auth required pam_deny.so
> account required pam_unix.so
> account sufficient pam_localuser.so
> account sufficient pam_succeed_if.so uid < 500 quiet
> account [default=bad success=ok user_unknown=ignore] pam_sss.so
> account required pam_permit.so
> password required pam_pkcs11.so
> session optional pam_keyinit.so revoke
> session required pam_limits.so
> session optional pam_oddjob_mkhomedir.so umask=0077
> session [success=1 default=ignore] pam_succeed_if.so service in crond
> quiet use_uid
> session required pam_unix.so
> session optional pam_sss.so
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list