That works, but it is only pre-auth mode. In --auth mode it fails, but I don't think that relevant since fails the same way on Fedora too.
The problems seems to be that on Ubuntu, --auth mode is never called. On Fedora p11_child is called twice. Once with --pre and then a second time with --auth. In the log you see:
$ egrep 'main|verified' p11_child.log (Thu Sep 28 14:23:19 2017) [[sssd[p11_child[15375]]]] [main] (0x0400): p11_child started. (Thu Sep 28 14:23:19 2017) [[sssd[p11_child[15375]]]] [main] (0x2000): Running in [pre-auth] mode. (Thu Sep 28 14:23:19 2017) [[sssd[p11_child[15375]]]] [main] (0x2000): Running with effective IDs: [0][0]. (Thu Sep 28 14:23:19 2017) [[sssd[p11_child[15375]]]] [main] (0x2000): Running with real IDs [0][0]. (Thu Sep 28 14:23:22 2017) [[sssd[p11_child[15378]]]] [main] (0x0400): p11_child started. (Thu Sep 28 14:23:22 2017) [[sssd[p11_child[15378]]]] [main] (0x2000): Running in [auth] mode. (Thu Sep 28 14:23:22 2017) [[sssd[p11_child[15378]]]] [main] (0x2000): Running with effective IDs: [0][0]. (Thu Sep 28 14:23:22 2017) [[sssd[p11_child[15378]]]] [main] (0x2000): Running with real IDs [0][0]. (Thu Sep 28 14:23:23 2017) [[sssd[p11_child[15378]]]] [do_work] (0x4000): Certificate verified and validated.
I've trimmed the log to what (I think) was interesting. I can send everything if you need it.
For Ubuntu, the log stops after the first invocation of p11_child and you never see the [auth] mode call. Otherwise the logs are the same.
Steve
On Fri, Sep 29, 2017 at 3:17 AM, Sumit Bose sbose@redhat.com wrote:
On Thu, Sep 28, 2017 at 02:35:55PM -0400, Steve Weeks wrote:
Progress, but still not using the smartcard and falling back to the password.
I changed to change the pam_sss line in common-auth too:
auth [default=1 success=ok] pam_localuser.so auth [success=2 default=ignore] pam_unix.so nullok_secure #auth [success=1 default=ignore] pam_sss.so use_first_pass auth sufficient pam_sss.so forward_pass
Now p11_child is called, but doesn't validate the certificate. On Fedora the final line in p11_child.log is "Ceritificate verified and validated". On Ubuntu that line is missing.
The root certificate is in the certdb. (certutil -d /etc/pki/nssdb -L).
Is there a way to do what p11_child does from the command line or with better logging so I can what it doesn't like? I have debug_level = 9 on everything at the moment.
/usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --pre
--nssdb=/etc/pki/nssdb
should do the trick.
HTH
bye, Sumit
Thanks, Steve
On Thu, Sep 28, 2017 at 12:43 PM, Sumit Bose sbose@redhat.com wrote:
On Thu, Sep 28, 2017 at 12:13:38PM -0400, Steve Weeks wrote:
In all cases on both system pam_unix comes before pam_sss. For
example
in
Fedora system-auth it is:
On recent Fedora systems you should have
auth [default=1 success=ok] pam_localuser.so
before the lines below. This will call pam_unix only for users from /etc/passwd and skip the line it otherwise (default=1). Maybe something like this would help on Ubuntu as well?
bye, Sumit
auth [success=done ignore=ignore default=die] pam_unix.so
nullok
try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass
and in Ubuntu common-auth it is:
auth [success=2 default=ignore] pam_unix.so nullok_secure auth [success=1 default=ignore] pam_sss.so use_first_pass
I tried reversing the lines and get a pam error about user not know
(it
is
an AD user which works fine on fedora).
Also, it looks like pam_pkcs11.so is used in smartcard-auth on
Fedora.
Don't know if this is relevant or not.
Steve
On Thu, Sep 28, 2017 at 11:40 AM, Sumit Bose via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
On Thu, Sep 28, 2017 at 11:29:27AM -0400, Steve Weeks via
FreeIPA-users
wrote:
We have smartcards (PIV) working just fine on Fedora 25 with
FreeIPA
client
version 4.4.4 (SSSD 1.14.2). However on Ubuntu 16.04, FreeIPA
client
4.3.1, SSSD 1.13.4 the smartcard seems to be ignored.
The smartcard is readable using pkcs11-tools and pkcs15-tools on
both
systems.
On both systems sssd.conf contains: [pam] pam_cert_auth = True
I've turned the sssd logging up to 9 on both systems and it looks
like
p11_child is never called on the Ubuntu system. On the Ubuntu
system
p11_child.log is empty and there is no sign of it being started
in
the
sssd_pam.log.
Any suggestions on what I should look at next?
How does your PAM configuration looks like? You have to make sure
that
pam_sss.so is the first module called for SSSD users. If pam_unix
comes
first it will ask for a Password and pass it on to pam_sss.so which
will
try password authentication in this case.
HTH
bye, Sumit
Thanks, Steve
FreeIPA-users mailing list -- freeipa-users@lists.
fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.
fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.
fedorahosted.org