[Freeipa-users] RHEL 6.9 AD Smart Card login
Sumit Bose
sbose at redhat.com
Tue Apr 11 21:32:34 UTC 2017
On Tue, Apr 11, 2017 at 04:24:51PM +0000, spammewoods at cox.net wrote:
> I made the changes in this Bugzilla report and its still failing. When I
> click on Smartcard Authenication on the GDM login screen, I get the error
> message "Authentication failure". It looks like this Bugzilla was for IDM
> users using smart cards. I'm trying to use Active Directory Users and
> smart cards.
Using IdM or AD shouldn't make a difference here. Did you change
/etc/pam.d/smartcart-auth according to comment #8 (similar changes are
needed on RHEL7 as well)? Please send the full SSSD logs, especially
sssd_pam.log, with debug_level=10 and /var/log/secure. Feel free to send
them to me directly if you do not want to share them on the list.
bye,
Sumit
>
> Here is my error log from /var/log/sssd/p11_child.log
> (Tue Apr 11 11:24:45 2017) [[sssd[p11_child[14893]]]] [main] (0x0400):
> p11_child started.
> (Tue Apr 11 11:24:45 2017) [[sssd[p11_child[14893]]]] [main] (0x2000):
> Running in [pre-auth] mode.
> (Tue Apr 11 11:24:45 2017) [[sssd[p11_child[14893]]]] [main] (0x2000):
> Running with effective IDs: [0][0].
> (Tue Apr 11 11:24:45 2017) [[sssd[p11_child[14893]]]] [main] (0x2000):
> Running with real IDs [0][0].
> (Tue Apr 11 11:24:45 2017) [[sssd[p11_child[14893]]]]
> [parse_cert_verify_opts] (0x4000): Found 'no_ocsp' option, disabling OCSP.
> (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] (0x4000):
> Default Module List:
> (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] (0x4000):
> common name: [NSS Internal PKCS #11 Module].
> (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] (0x4000):
> dll name: [(null)].
> (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] (0x4000):
> common name: [CoolKey PKCS #11 Module].
> (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] (0x4000):
> dll name: [libcoolkeypk11.so].
> (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] (0x4000):
> Dead Module List:
> (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] (0x4000): DB
> Module List:
> (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] (0x4000):
> common name: [NSS Internal Module].
> (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] (0x4000):
> dll name: [(null)].
> (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] (0x4000):
> common name: [Policy File].
> (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] (0x4000):
> dll name: [(null)].
> (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] (0x4000):
> Description [NSS User Private Key and Certificate Services Mozilla
> Foundation ] Manufacturer [Mozilla Foundation ] flags [1].
> (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] (0x4000):
> Description [NSS Internal Cryptographic Services Mozilla Foundation
> ] Manufacturer [Mozilla Foundation ] flags [1].
> (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] (0x4000):
> Description [SCM SCR 3310 00 00 Unknown ]
> Manufacturer [Unknown ] flags [7].
> (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] (0x4000):
> Found [SMITH.RYAN.123456] in slot [SCM SCR 3310 00 00][1] of module [2].
> (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] (0x4000):
> Token is NOT friendly.
> (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] (0x4000):
> Trying to switch to friendly to read certificate.
> (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] (0x4000):
> Login required.
> (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] (0x0020):
> Login required but no pin available, continue.
> (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] (0x4000):
> found cert[SMITH.RYAN.123456:PIV ID
> Certificate][CN=SMITH.RYAN.123456,OU=WORKER,OU=PKI,OU=HOME]
> (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] (0x4000):
> found cert[SMITH.RYAN.123456:PIV Email Signature
> Certificate][CN=SMITH.RYAN.123456,OU=WORKER,OU=PKI,OU=HOME]
> (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] (0x4000):
> found cert[SMITH.RYAN.123456:PIV Email Encryption
> Certificate][CN=SMITH.RYAN.123456,OU=WORKER,OU=PKI,OU=HOME]
> (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] (0x4000):
> Filtered certificates:
> (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] (0x4000):
> found cert[SMITH.RYAN.123456:PIV ID
> Certificate][CN=SMITH.RYAN.123456,OU=WORKER,OU=PKI,OU=HOME]
> (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] (0x4000):
> found cert[SMITH.RYAN.123456:PIV Email Signature
> Certificate][CN=SMITH.RYAN.123456,OU=WORKER,OU=PKI,OU=HOME]
> (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] (0x4000):
> More than one certificate found, using just the first one.
>
>
> On Fri, Apr 7, 2017 at 4:35 AM, Sumit Bose wrote:
>
> > On Thu, Apr 06, 2017 at 06:36:43PM +0000, spammewoods at cox.net wrote:
> > > I have created a two way trust between my IDM server and Active
> > > Directory.
> > > I have been able to successful get RHEL 7.3 IDM server and RHEL 7.3
> > > IDM
> > > clients to allow Active Directory login using CAC smart cards into
> > > Gnome.
> > > I'm using SSSD for the smart card login process instead of
> > > authconfig and
> > > pkcs11. I'm currently trying to get the same thing working for
> > > RHEL 6.9,
> > > but I have not been able to get it to work. The latest version of
> > > SSSD on
> > > RHEL 6.9 is 1.13.3 and from my understanding I need to have at least
> > > 1.14.0
> > > for SSSD to handle AD smart card logins. So, I have tried to
> > > configure
> >
> > The Smartcard authentication feature was backported to RHEL-6.9.
> >
> > Please note that the GDM Smartcard feature must be configured
> > differently in RHEL6 then in RHEL7, details for RHEL-6.9 can e.g. found
> > in https://bugzilla.redhat.com/show_bug.cgi?id=1300421#c13
> >
> > HTH
> >
> > bye,
> > Sumit
> >
> > > pam_pkcs11.conf file to use the pwent mapper to link the Common Name
> > > (CN) to
> > > the Active Directory User account. I have created an User ID
> > > Override for
> > > the AD user and added CN name from the Certificate on the smart
> > > card into
> > > the GECOS field. I also have added all three certificates from the
> > > CAC
> > > smart card into the User ID Override.
> > >
> > > When I try and log in, I get this error message in /var/log/secure:
> > > Apr 6 13:21:57 site-lws05 pam: gdm-smartcard:
> > > pam_pkcs11(gdm-smartcard:auth): pam_get_pwd() failed: Conversation
> > > error
> > > Apr 6 13:22:17 site-lws05 pam: gdm-smartcard:
> > > pam_pkcs11(gdm-smartcard:auth): find_user() failed: on cert #1
> > > Apr 6 13:22:17 site-lws05 pam: gdm-smartcard:
> > > pam_pkcs11(gdm-smartcard:auth): find_user() failed: on cert #2
> > > Apr 6 13:22:17 site-lws05 pam: gdm-smartcard:
> > > pam_pkcs11(gdm-smartcard:auth): no valid certificate which meets all
> > > requirements found
> > >
> > > Here is the some details:
> > > IDM Domain: idm.domain.local
> > > Windows Domain: domain.local
> > > RHEL 7.3 IDM Server: site-idm01.idm.domain.local
> > > RHEL 6.9 IDM Client : site-lws05.idm.domain.local
> > >
> > > When I run the getent command on local accounts and IDM accounts I
> > > get user
> > > details, but when I run the command on AD accounts it doesn't find
> > > them.
> > > So, I'm wondering if that's why its not finding the CN name in the
> > > GECOS
> > > field. I'm trying to avoid using the cn_map on the clients,
> > > because we
> > > have a large amount of users and thats alot of extra work to manage
> > > that
> > > file. That's why I wanted to use the pwent mapper.
> > > Here is my SSSD config file from the RHEL 6.9 client:
> > > [domain/idm.domain.local]
> > > override_shell = /bin/bash
> > > debug_level = 9
> > > cache_credentials = True
> > > krb5_store_password_if_offline = True
> > > ipa_domain = idm.domain.local
> > > id_provider = ipa
> > > auth_provider = ipa
> > > access_provider = ipa
> > > ipa_hostname = site-lws05.idm.domain.local
> > > chpass_provider = ipa
> > > ipa_server = _srv_, site-idm01.idm.domain.local
> > > ldap_tls_cacert = /etc/ipa/ca.crt
> > > [sssd]
> > > debug_level = 9
> > > services = nss, sudo, pam, ssh, ifp
> > > domains = idm.domain.local
> > > certificate_verification = no_ocsp
> > > ldap_user_certificate = userCertificate;binary
> > > [nss]
> > > debug_level = 9
> > > homedir_substring = /home
> > > [pam]
> > > debug_level = 9
> > > pam_cert_auth = True
> > > [sudo]
> > > debug_level = 9
> > > [autofs]
> > > debug_level = 9
> > > [ssh]
> > > debug_level = 9
> > > [pac]
> > > debug_level = 9
> > > [ifp]
> > > debug_level = 9
> > >
> > > Here is my nssswitch file from the RHEL 6.9 client:
> > > # /etc/nsswitch.conf
> > > #
> > > # An example Name Service Switch config file. This file should be
> > > # sorted with the most-used services at the beginning.
> > > #
> > > # The entry '[NOTFOUND=return]' means that the search for an
> > > # entry should stop if the search in the previous entry turned
> > > # up nothing. Note that if the search failed due to some other reason
> > > # (like no NIS server responding) then the search continues with the
> > > # next entry.
> > > #
> > > # Valid entries include:
> > > #
> > > # nisplus Use NIS+ (NIS version 3)
> > > # nis Use NIS (NIS version 2), also called
> > > YP
> > > # dns Use DNS (Domain Name Service)
> > > # files Use the local files
> > > # db Use the local database (.db) files
> > > # compat Use NIS on compat mode
> > > # hesiod Use Hesiod for user lookups
> > > # [NOTFOUND=return] Stop searching if not found so far
> > > #
> > > # To use db, put the "db" in front of "files" for entries you want
> > > to be
> > > # looked up first in the databases
> > > #
> > > # Example:
> > > #passwd: db files nisplus nis
> > > #shadow: db files nisplus nis
> > > #group: db files nisplus nis
> > > passwd: files sss
> > > shadow: files sss
> > > group: files sss
> > > #hosts: db files nisplus nis dns
> > > hosts: files dns
> > > # Example - obey only what nisplus tells us...
> > > #services: nisplus [NOTFOUND=return] files
> > > #networks: nisplus [NOTFOUND=return] files
> > > #protocols: nisplus [NOTFOUND=return] files
> > > #rpc: nisplus [NOTFOUND=return] files
> > > #ethers: nisplus [NOTFOUND=return] files
> > > #netmasks: nisplus [NOTFOUND=return] files
> > > bootparams: nisplus [NOTFOUND=return] files
> > > ethers: files
> > > netmasks: files
> > > networks: files
> > > protocols: files
> > > rpc: files
> > > services: files sss
> > > netgroup: files sss
> > > publickey: nisplus
> > > automount: files sss
> > > aliases: files nisplus
> > > sudoers: files sss
> > >
> > > Here is my system-auth from the RHEL 6.9 client:
> > > #%PAM-1.0
> > > # This file is auto-generated.
> > > # User changes will be destroyed the next time authconfig is run.
> > > auth required pam_env.so
> > > auth [success=1 default=ignore] pam_succeed_if.so service
> > > notin
> > > login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet
> > > use_uid
> > > auth [success=done authinfo_unavail=ignore ignore=ignore
> > > default=die]
> > > pam_pkcs11.so card_only
> > > auth sufficient pam_fprintd.so
> > > auth sufficient pam_unix.so nullok try_first_pass
> > > auth requisite pam_succeed_if.so uid >= 500 quiet
> > > auth sufficient pam_sss.so use_first_pass
> > > auth required pam_deny.so
> > > account required pam_unix.so
> > > account sufficient pam_localuser.so
> > > account sufficient pam_succeed_if.so uid < 500 quiet
> > > account [default=bad success=ok user_unknown=ignore] pam_sss.so
> > > account required pam_permit.so
> > > password requisite pam_cracklib.so try_first_pass retry=3
> > > type=
> > > password sufficient pam_unix.so sha512 shadow nullok
> > > try_first_pass
> > > use_authtok
> > > password sufficient pam_sss.so use_authtok
> > > password required pam_deny.so
> > > session optional pam_keyinit.so revoke
> > > session required pam_limits.so
> > > session optional pam_oddjob_mkhomedir.so umask=0077
> > > session [success=1 default=ignore] pam_succeed_if.so service in
> > > crond
> > > quiet use_uid
> > > session required pam_unix.so
> > > session optional pam_sss.so
> > >
> > > Here is my password-auth from the RHEL 6.9 client:
> > > #%PAM-1.0
> > > # This file is auto-generated.
> > > # User changes will be destroyed the next time authconfig is run.
> > > auth required pam_env.so
> > > auth sufficient pam_unix.so nullok try_first_pass
> > > auth requisite pam_succeed_if.so uid >= 500 quiet
> > > auth sufficient pam_sss.so use_first_pass
> > > auth required pam_deny.so
> > > account required pam_unix.so
> > > account sufficient pam_localuser.so
> > > account sufficient pam_succeed_if.so uid < 500 quiet
> > > account [default=bad success=ok user_unknown=ignore] pam_sss.so
> > > account required pam_permit.so
> > > password requisite pam_cracklib.so try_first_pass retry=3
> > > type=
> > > password sufficient pam_unix.so sha512 shadow nullok
> > > try_first_pass
> > > use_authtok
> > > password sufficient pam_sss.so use_authtok
> > > password required pam_deny.so
> > > session optional pam_keyinit.so revoke
> > > session required pam_limits.so
> > > session optional pam_oddjob_mkhomedir.so umask=0077
> > > session [success=1 default=ignore] pam_succeed_if.so service in
> > > crond
> > > quiet use_uid
> > > session required pam_unix.so
> > > session optional pam_sss.so
> > >
> > > Here is my smartcard-auth from the RHEL 6.9 client:
> > > #%PAM-1.0
> > > # This file is auto-generated.
> > > # User changes will be destroyed the next time authconfig is run.
> > > auth required pam_env.so
> > > auth [success=done ignore=ignore default=die] pam_pkcs11.so
> > > wait_for_card card_only
> > > auth required pam_deny.so
> > > account required pam_unix.so
> > > account sufficient pam_localuser.so
> > > account sufficient pam_succeed_if.so uid < 500 quiet
> > > account [default=bad success=ok user_unknown=ignore] pam_sss.so
> > > account required pam_permit.so
> > > password required pam_pkcs11.so
> > > session optional pam_keyinit.so revoke
> > > session required pam_limits.so
> > > session optional pam_oddjob_mkhomedir.so umask=0077
> > > session [success=1 default=ignore] pam_succeed_if.so service in
> > > crond
> > > quiet use_uid
> > > session required pam_unix.so
> > > session optional pam_sss.so
> > >
> > > --
> > > Manage your subscription for the Freeipa-users mailing list:
> > > https://www.redhat.com/mailman/listinfo/freeipa-users
> > > Go to http://freeipa.org for more info on the project
> >
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list