Progress, but still not using the smartcard and falling back to the password.
I changed to change the pam_sss line in common-auth too:
auth [default=1 success=ok] pam_localuser.so auth [success=2 default=ignore] pam_unix.so nullok_secure #auth [success=1 default=ignore] pam_sss.so use_first_pass auth sufficient pam_sss.so forward_pass
Now p11_child is called, but doesn't validate the certificate. On Fedora the final line in p11_child.log is "Ceritificate verified and validated". On Ubuntu that line is missing.
The root certificate is in the certdb. (certutil -d /etc/pki/nssdb -L).
Is there a way to do what p11_child does from the command line or with better logging so I can what it doesn't like? I have debug_level = 9 on everything at the moment.
Thanks, Steve
On Thu, Sep 28, 2017 at 12:43 PM, Sumit Bose sbose@redhat.com wrote:
On Thu, Sep 28, 2017 at 12:13:38PM -0400, Steve Weeks wrote:
In all cases on both system pam_unix comes before pam_sss. For example
in
Fedora system-auth it is:
On recent Fedora systems you should have
auth [default=1 success=ok] pam_localuser.so
before the lines below. This will call pam_unix only for users from /etc/passwd and skip the line it otherwise (default=1). Maybe something like this would help on Ubuntu as well?
bye, Sumit
auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass
and in Ubuntu common-auth it is:
auth [success=2 default=ignore] pam_unix.so nullok_secure auth [success=1 default=ignore] pam_sss.so use_first_pass
I tried reversing the lines and get a pam error about user not know (it
is
an AD user which works fine on fedora).
Also, it looks like pam_pkcs11.so is used in smartcard-auth on Fedora. Don't know if this is relevant or not.
Steve
On Thu, Sep 28, 2017 at 11:40 AM, Sumit Bose via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
On Thu, Sep 28, 2017 at 11:29:27AM -0400, Steve Weeks via FreeIPA-users wrote:
We have smartcards (PIV) working just fine on Fedora 25 with FreeIPA
client
version 4.4.4 (SSSD 1.14.2). However on Ubuntu 16.04, FreeIPA client 4.3.1, SSSD 1.13.4 the smartcard seems to be ignored.
The smartcard is readable using pkcs11-tools and pkcs15-tools on both systems.
On both systems sssd.conf contains: [pam] pam_cert_auth = True
I've turned the sssd logging up to 9 on both systems and it looks
like
p11_child is never called on the Ubuntu system. On the Ubuntu system p11_child.log is empty and there is no sign of it being started in
the
sssd_pam.log.
Any suggestions on what I should look at next?
How does your PAM configuration looks like? You have to make sure that pam_sss.so is the first module called for SSSD users. If pam_unix comes first it will ask for a Password and pass it on to pam_sss.so which
will
try password authentication in this case.
HTH
bye, Sumit
Thanks, Steve
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.
fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.
fedorahosted.org