[Freeipa-users] RHEL 6.9 AD Smart Card login
spammewoods at cox.net
spammewoods at cox.net
Tue Apr 11 16:24:51 UTC 2017
I made the changes in this Bugzilla report and its still failing.
When I click on Smartcard Authenication on the GDM login screen, I get
the error message "Authentication failure". It looks like this
Bugzilla was for IDM users using smart cards. I'm trying to use
Active Directory Users and smart cards.
Here is my error log from /var/log/sssd/p11_child.log
(Tue Apr 11 11:24:45 2017) [[sssd[p11_child[14893]]]] [main] (0x0400):
p11_child started.
(Tue Apr 11 11:24:45 2017) [[sssd[p11_child[14893]]]] [main] (0x2000):
Running in [pre-auth] mode.
(Tue Apr 11 11:24:45 2017) [[sssd[p11_child[14893]]]] [main] (0x2000):
Running with effective IDs: [0][0].
(Tue Apr 11 11:24:45 2017) [[sssd[p11_child[14893]]]] [main] (0x2000):
Running with real IDs [0][0].
(Tue Apr 11 11:24:45 2017) [[sssd[p11_child[14893]]]]
[parse_cert_verify_opts] (0x4000): Found 'no_ocsp' option, disabling
OCSP.
(Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work]
(0x4000): Default Module List:
(Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work]
(0x4000): common name: [NSS Internal PKCS #11 Module].
(Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work]
(0x4000): dll name: [(null)].
(Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work]
(0x4000): common name: [CoolKey PKCS #11 Module].
(Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work]
(0x4000): dll name: [libcoolkeypk11.so].
(Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work]
(0x4000): Dead Module List:
(Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work]
(0x4000): DB Module List:
(Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work]
(0x4000): common name: [NSS Internal Module].
(Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work]
(0x4000): dll name: [(null)].
(Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work]
(0x4000): common name: [Policy File].
(Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work]
(0x4000): dll name: [(null)].
(Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work]
(0x4000): Description [NSS User Private Key and Certificate Services
Mozilla Foundation ] Manufacturer [Mozilla Foundation
] flags [1].
(Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work]
(0x4000): Description [NSS Internal Cryptographic Services
Mozilla Foundation ] Manufacturer [Mozilla Foundation
] flags [1].
(Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work]
(0x4000): Description [SCM SCR 3310 00 00
Unknown ] Manufacturer [Unknown
] flags [7].
(Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work]
(0x4000): Found [SMITH.RYAN.123456] in slot [SCM SCR 3310 00 00][1] of
module [2].
(Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work]
(0x4000): Token is NOT friendly.
(Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work]
(0x4000): Trying to switch to friendly to read certificate.
(Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work]
(0x4000): Login required.
(Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work]
(0x0020): Login required but no pin available, continue.
(Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work]
(0x4000): found cert[SMITH.RYAN.123456:PIV ID
Certificate][CN=SMITH.RYAN.123456,OU=WORKER,OU=PKI,OU=HOME]
(Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work]
(0x4000): found cert[SMITH.RYAN.123456:PIV Email Signature
Certificate][CN=SMITH.RYAN.123456,OU=WORKER,OU=PKI,OU=HOME]
(Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work]
(0x4000): found cert[SMITH.RYAN.123456:PIV Email Encryption
Certificate][CN=SMITH.RYAN.123456,OU=WORKER,OU=PKI,OU=HOME]
(Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work]
(0x4000): Filtered certificates:
(Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work]
(0x4000): found cert[SMITH.RYAN.123456:PIV ID
Certificate][CN=SMITH.RYAN.123456,OU=WORKER,OU=PKI,OU=HOME]
(Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work]
(0x4000): found cert[SMITH.RYAN.123456:PIV Email Signature
Certificate][CN=SMITH.RYAN.123456,OU=WORKER,OU=PKI,OU=HOME]
(Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work]
(0x4000): More than one certificate found, using just the first one.
On Fri, Apr 7, 2017 at 4:35 AM, Sumit Bose wrote:
> On Thu, Apr 06, 2017 at 06:36:43PM +0000, spammewoods at cox.net wrote:
>> I have created a two way trust between my IDM server and Active
>> Directory.
>> I have been able to successful get RHEL 7.3 IDM server and RHEL 7.3
>> IDM
>> clients to allow Active Directory login using CAC smart cards into
>> Gnome.
>> I'm using SSSD for the smart card login process instead of authconfig
>> and
>> pkcs11. I'm currently trying to get the same thing working for RHEL
>> 6.9,
>> but I have not been able to get it to work. The latest version of
>> SSSD on
>> RHEL 6.9 is 1.13.3 and from my understanding I need to have at least
>> 1.14.0
>> for SSSD to handle AD smart card logins. So, I have tried to
>> configure
>
> The Smartcard authentication feature was backported to RHEL-6.9.
>
> Please note that the GDM Smartcard feature must be configured
> differently in RHEL6 then in RHEL7, details for RHEL-6.9 can e.g.
> found
> in https://bugzilla.redhat.com/show_bug.cgi?id=1300421#c13
>
> HTH
>
> bye,
> Sumit
>
>> pam_pkcs11.conf file to use the pwent mapper to link the Common Name
>> (CN) to
>> the Active Directory User account. I have created an User ID
>> Override for
>> the AD user and added CN name from the Certificate on the smart card
>> into
>> the GECOS field. I also have added all three certificates from the
>> CAC
>> smart card into the User ID Override.
>>
>> When I try and log in, I get this error message in /var/log/secure:
>> Apr 6 13:21:57 site-lws05 pam: gdm-smartcard:
>> pam_pkcs11(gdm-smartcard:auth): pam_get_pwd() failed: Conversation
>> error
>> Apr 6 13:22:17 site-lws05 pam: gdm-smartcard:
>> pam_pkcs11(gdm-smartcard:auth): find_user() failed: on cert #1
>> Apr 6 13:22:17 site-lws05 pam: gdm-smartcard:
>> pam_pkcs11(gdm-smartcard:auth): find_user() failed: on cert #2
>> Apr 6 13:22:17 site-lws05 pam: gdm-smartcard:
>> pam_pkcs11(gdm-smartcard:auth): no valid certificate which meets all
>> requirements found
>>
>> Here is the some details:
>> IDM Domain: idm.domain.local
>> Windows Domain: domain.local
>> RHEL 7.3 IDM Server: site-idm01.idm.domain.local
>> RHEL 6.9 IDM Client : site-lws05.idm.domain.local
>>
>> When I run the getent command on local accounts and IDM accounts I
>> get user
>> details, but when I run the command on AD accounts it doesn't find
>> them.
>> So, I'm wondering if that's why its not finding the CN name in the
>> GECOS
>> field. I'm trying to avoid using the cn_map on the clients,
>> because we
>> have a large amount of users and thats alot of extra work to manage
>> that
>> file. That's why I wanted to use the pwent mapper.
>> Here is my SSSD config file from the RHEL 6.9 client:
>> [domain/idm.domain.local]
>> override_shell = /bin/bash
>> debug_level = 9
>> cache_credentials = True
>> krb5_store_password_if_offline = True
>> ipa_domain = idm.domain.local
>> id_provider = ipa
>> auth_provider = ipa
>> access_provider = ipa
>> ipa_hostname = site-lws05.idm.domain.local
>> chpass_provider = ipa
>> ipa_server = _srv_, site-idm01.idm.domain.local
>> ldap_tls_cacert = /etc/ipa/ca.crt
>> [sssd]
>> debug_level = 9
>> services = nss, sudo, pam, ssh, ifp
>> domains = idm.domain.local
>> certificate_verification = no_ocsp
>> ldap_user_certificate = userCertificate;binary
>> [nss]
>> debug_level = 9
>> homedir_substring = /home
>> [pam]
>> debug_level = 9
>> pam_cert_auth = True
>> [sudo]
>> debug_level = 9
>> [autofs]
>> debug_level = 9
>> [ssh]
>> debug_level = 9
>> [pac]
>> debug_level = 9
>> [ifp]
>> debug_level = 9
>>
>> Here is my nssswitch file from the RHEL 6.9 client:
>> # /etc/nsswitch.conf
>> #
>> # An example Name Service Switch config file. This file should be
>> # sorted with the most-used services at the beginning.
>> #
>> # The entry '[NOTFOUND=return]' means that the search for an
>> # entry should stop if the search in the previous entry turned
>> # up nothing. Note that if the search failed due to some other reason
>> # (like no NIS server responding) then the search continues with the
>> # next entry.
>> #
>> # Valid entries include:
>> #
>> # nisplus Use NIS+ (NIS version 3)
>> # nis Use NIS (NIS version 2), also called
>> YP
>> # dns Use DNS (Domain Name Service)
>> # files Use the local files
>> # db Use the local database (.db) files
>> # compat Use NIS on compat mode
>> # hesiod Use Hesiod for user lookups
>> # [NOTFOUND=return] Stop searching if not found so far
>> #
>> # To use db, put the "db" in front of "files" for entries you want to
>> be
>> # looked up first in the databases
>> #
>> # Example:
>> #passwd: db files nisplus nis
>> #shadow: db files nisplus nis
>> #group: db files nisplus nis
>> passwd: files sss
>> shadow: files sss
>> group: files sss
>> #hosts: db files nisplus nis dns
>> hosts: files dns
>> # Example - obey only what nisplus tells us...
>> #services: nisplus [NOTFOUND=return] files
>> #networks: nisplus [NOTFOUND=return] files
>> #protocols: nisplus [NOTFOUND=return] files
>> #rpc: nisplus [NOTFOUND=return] files
>> #ethers: nisplus [NOTFOUND=return] files
>> #netmasks: nisplus [NOTFOUND=return] files
>> bootparams: nisplus [NOTFOUND=return] files
>> ethers: files
>> netmasks: files
>> networks: files
>> protocols: files
>> rpc: files
>> services: files sss
>> netgroup: files sss
>> publickey: nisplus
>> automount: files sss
>> aliases: files nisplus
>> sudoers: files sss
>>
>> Here is my system-auth from the RHEL 6.9 client:
>> #%PAM-1.0
>> # This file is auto-generated.
>> # User changes will be destroyed the next time authconfig is run.
>> auth required pam_env.so
>> auth [success=1 default=ignore] pam_succeed_if.so service
>> notin
>> login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet
>> use_uid
>> auth [success=done authinfo_unavail=ignore ignore=ignore
>> default=die]
>> pam_pkcs11.so card_only
>> auth sufficient pam_fprintd.so
>> auth sufficient pam_unix.so nullok try_first_pass
>> auth requisite pam_succeed_if.so uid >= 500 quiet
>> auth sufficient pam_sss.so use_first_pass
>> auth required pam_deny.so
>> account required pam_unix.so
>> account sufficient pam_localuser.so
>> account sufficient pam_succeed_if.so uid < 500 quiet
>> account [default=bad success=ok user_unknown=ignore] pam_sss.so
>> account required pam_permit.so
>> password requisite pam_cracklib.so try_first_pass retry=3
>> type=
>> password sufficient pam_unix.so sha512 shadow nullok
>> try_first_pass
>> use_authtok
>> password sufficient pam_sss.so use_authtok
>> password required pam_deny.so
>> session optional pam_keyinit.so revoke
>> session required pam_limits.so
>> session optional pam_oddjob_mkhomedir.so umask=0077
>> session [success=1 default=ignore] pam_succeed_if.so service in
>> crond
>> quiet use_uid
>> session required pam_unix.so
>> session optional pam_sss.so
>>
>> Here is my password-auth from the RHEL 6.9 client:
>> #%PAM-1.0
>> # This file is auto-generated.
>> # User changes will be destroyed the next time authconfig is run.
>> auth required pam_env.so
>> auth sufficient pam_unix.so nullok try_first_pass
>> auth requisite pam_succeed_if.so uid >= 500 quiet
>> auth sufficient pam_sss.so use_first_pass
>> auth required pam_deny.so
>> account required pam_unix.so
>> account sufficient pam_localuser.so
>> account sufficient pam_succeed_if.so uid < 500 quiet
>> account [default=bad success=ok user_unknown=ignore] pam_sss.so
>> account required pam_permit.so
>> password requisite pam_cracklib.so try_first_pass retry=3
>> type=
>> password sufficient pam_unix.so sha512 shadow nullok
>> try_first_pass
>> use_authtok
>> password sufficient pam_sss.so use_authtok
>> password required pam_deny.so
>> session optional pam_keyinit.so revoke
>> session required pam_limits.so
>> session optional pam_oddjob_mkhomedir.so umask=0077
>> session [success=1 default=ignore] pam_succeed_if.so service in
>> crond
>> quiet use_uid
>> session required pam_unix.so
>> session optional pam_sss.so
>>
>> Here is my smartcard-auth from the RHEL 6.9 client:
>> #%PAM-1.0
>> # This file is auto-generated.
>> # User changes will be destroyed the next time authconfig is run.
>> auth required pam_env.so
>> auth [success=done ignore=ignore default=die] pam_pkcs11.so
>> wait_for_card card_only
>> auth required pam_deny.so
>> account required pam_unix.so
>> account sufficient pam_localuser.so
>> account sufficient pam_succeed_if.so uid < 500 quiet
>> account [default=bad success=ok user_unknown=ignore] pam_sss.so
>> account required pam_permit.so
>> password required pam_pkcs11.so
>> session optional pam_keyinit.so revoke
>> session required pam_limits.so
>> session optional pam_oddjob_mkhomedir.so umask=0077
>> session [success=1 default=ignore] pam_succeed_if.so service in
>> crond
>> quiet use_uid
>> session required pam_unix.so
>> session optional pam_sss.so
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list