We have smartcards (PIV) working just fine on Fedora 25 with FreeIPA client version 4.4.4 (SSSD 1.14.2). However on Ubuntu 16.04, FreeIPA client 4.3.1, SSSD 1.13.4 the smartcard seems to be ignored.
The smartcard is readable using pkcs11-tools and pkcs15-tools on both systems.
On both systems sssd.conf contains: [pam] pam_cert_auth = True
I've turned the sssd logging up to 9 on both systems and it looks like p11_child is never called on the Ubuntu system. On the Ubuntu system p11_child.log is empty and there is no sign of it being started in the sssd_pam.log.
Any suggestions on what I should look at next?
Thanks, Steve
On Thu, Sep 28, 2017 at 11:29:27AM -0400, Steve Weeks via FreeIPA-users wrote:
We have smartcards (PIV) working just fine on Fedora 25 with FreeIPA client version 4.4.4 (SSSD 1.14.2). However on Ubuntu 16.04, FreeIPA client 4.3.1, SSSD 1.13.4 the smartcard seems to be ignored.
The smartcard is readable using pkcs11-tools and pkcs15-tools on both systems.
On both systems sssd.conf contains: [pam] pam_cert_auth = True
I've turned the sssd logging up to 9 on both systems and it looks like p11_child is never called on the Ubuntu system. On the Ubuntu system p11_child.log is empty and there is no sign of it being started in the sssd_pam.log.
Any suggestions on what I should look at next?
How does your PAM configuration looks like? You have to make sure that pam_sss.so is the first module called for SSSD users. If pam_unix comes first it will ask for a Password and pass it on to pam_sss.so which will try password authentication in this case.
HTH
bye, Sumit
Thanks, Steve
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
In all cases on both system pam_unix comes before pam_sss. For example in Fedora system-auth it is:
auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass
and in Ubuntu common-auth it is:
auth [success=2 default=ignore] pam_unix.so nullok_secure auth [success=1 default=ignore] pam_sss.so use_first_pass
I tried reversing the lines and get a pam error about user not know (it is an AD user which works fine on fedora).
Also, it looks like pam_pkcs11.so is used in smartcard-auth on Fedora. Don't know if this is relevant or not.
Steve
On Thu, Sep 28, 2017 at 11:40 AM, Sumit Bose via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
On Thu, Sep 28, 2017 at 11:29:27AM -0400, Steve Weeks via FreeIPA-users wrote:
We have smartcards (PIV) working just fine on Fedora 25 with FreeIPA
client
version 4.4.4 (SSSD 1.14.2). However on Ubuntu 16.04, FreeIPA client 4.3.1, SSSD 1.13.4 the smartcard seems to be ignored.
The smartcard is readable using pkcs11-tools and pkcs15-tools on both systems.
On both systems sssd.conf contains: [pam] pam_cert_auth = True
I've turned the sssd logging up to 9 on both systems and it looks like p11_child is never called on the Ubuntu system. On the Ubuntu system p11_child.log is empty and there is no sign of it being started in the sssd_pam.log.
Any suggestions on what I should look at next?
How does your PAM configuration looks like? You have to make sure that pam_sss.so is the first module called for SSSD users. If pam_unix comes first it will ask for a Password and pass it on to pam_sss.so which will try password authentication in this case.
HTH
bye, Sumit
Thanks, Steve
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.
fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
On Thu, Sep 28, 2017 at 12:13:38PM -0400, Steve Weeks wrote:
In all cases on both system pam_unix comes before pam_sss. For example in Fedora system-auth it is:
On recent Fedora systems you should have
auth [default=1 success=ok] pam_localuser.so
before the lines below. This will call pam_unix only for users from /etc/passwd and skip the line it otherwise (default=1). Maybe something like this would help on Ubuntu as well?
bye, Sumit
auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass
and in Ubuntu common-auth it is:
auth [success=2 default=ignore] pam_unix.so nullok_secure auth [success=1 default=ignore] pam_sss.so use_first_pass
I tried reversing the lines and get a pam error about user not know (it is an AD user which works fine on fedora).
Also, it looks like pam_pkcs11.so is used in smartcard-auth on Fedora. Don't know if this is relevant or not.
Steve
On Thu, Sep 28, 2017 at 11:40 AM, Sumit Bose via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
On Thu, Sep 28, 2017 at 11:29:27AM -0400, Steve Weeks via FreeIPA-users wrote:
We have smartcards (PIV) working just fine on Fedora 25 with FreeIPA
client
version 4.4.4 (SSSD 1.14.2). However on Ubuntu 16.04, FreeIPA client 4.3.1, SSSD 1.13.4 the smartcard seems to be ignored.
The smartcard is readable using pkcs11-tools and pkcs15-tools on both systems.
On both systems sssd.conf contains: [pam] pam_cert_auth = True
I've turned the sssd logging up to 9 on both systems and it looks like p11_child is never called on the Ubuntu system. On the Ubuntu system p11_child.log is empty and there is no sign of it being started in the sssd_pam.log.
Any suggestions on what I should look at next?
How does your PAM configuration looks like? You have to make sure that pam_sss.so is the first module called for SSSD users. If pam_unix comes first it will ask for a Password and pass it on to pam_sss.so which will try password authentication in this case.
HTH
bye, Sumit
Thanks, Steve
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.
fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Progress, but still not using the smartcard and falling back to the password.
I changed to change the pam_sss line in common-auth too:
auth [default=1 success=ok] pam_localuser.so auth [success=2 default=ignore] pam_unix.so nullok_secure #auth [success=1 default=ignore] pam_sss.so use_first_pass auth sufficient pam_sss.so forward_pass
Now p11_child is called, but doesn't validate the certificate. On Fedora the final line in p11_child.log is "Ceritificate verified and validated". On Ubuntu that line is missing.
The root certificate is in the certdb. (certutil -d /etc/pki/nssdb -L).
Is there a way to do what p11_child does from the command line or with better logging so I can what it doesn't like? I have debug_level = 9 on everything at the moment.
Thanks, Steve
On Thu, Sep 28, 2017 at 12:43 PM, Sumit Bose sbose@redhat.com wrote:
On Thu, Sep 28, 2017 at 12:13:38PM -0400, Steve Weeks wrote:
In all cases on both system pam_unix comes before pam_sss. For example
in
Fedora system-auth it is:
On recent Fedora systems you should have
auth [default=1 success=ok] pam_localuser.so
before the lines below. This will call pam_unix only for users from /etc/passwd and skip the line it otherwise (default=1). Maybe something like this would help on Ubuntu as well?
bye, Sumit
auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass
and in Ubuntu common-auth it is:
auth [success=2 default=ignore] pam_unix.so nullok_secure auth [success=1 default=ignore] pam_sss.so use_first_pass
I tried reversing the lines and get a pam error about user not know (it
is
an AD user which works fine on fedora).
Also, it looks like pam_pkcs11.so is used in smartcard-auth on Fedora. Don't know if this is relevant or not.
Steve
On Thu, Sep 28, 2017 at 11:40 AM, Sumit Bose via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
On Thu, Sep 28, 2017 at 11:29:27AM -0400, Steve Weeks via FreeIPA-users wrote:
We have smartcards (PIV) working just fine on Fedora 25 with FreeIPA
client
version 4.4.4 (SSSD 1.14.2). However on Ubuntu 16.04, FreeIPA client 4.3.1, SSSD 1.13.4 the smartcard seems to be ignored.
The smartcard is readable using pkcs11-tools and pkcs15-tools on both systems.
On both systems sssd.conf contains: [pam] pam_cert_auth = True
I've turned the sssd logging up to 9 on both systems and it looks
like
p11_child is never called on the Ubuntu system. On the Ubuntu system p11_child.log is empty and there is no sign of it being started in
the
sssd_pam.log.
Any suggestions on what I should look at next?
How does your PAM configuration looks like? You have to make sure that pam_sss.so is the first module called for SSSD users. If pam_unix comes first it will ask for a Password and pass it on to pam_sss.so which
will
try password authentication in this case.
HTH
bye, Sumit
Thanks, Steve
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.
fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.
fedorahosted.org
On Thu, Sep 28, 2017 at 02:35:55PM -0400, Steve Weeks wrote:
Progress, but still not using the smartcard and falling back to the password.
I changed to change the pam_sss line in common-auth too:
auth [default=1 success=ok] pam_localuser.so auth [success=2 default=ignore] pam_unix.so nullok_secure #auth [success=1 default=ignore] pam_sss.so use_first_pass auth sufficient pam_sss.so forward_pass
Now p11_child is called, but doesn't validate the certificate. On Fedora the final line in p11_child.log is "Ceritificate verified and validated". On Ubuntu that line is missing.
The root certificate is in the certdb. (certutil -d /etc/pki/nssdb -L).
Is there a way to do what p11_child does from the command line or with better logging so I can what it doesn't like? I have debug_level = 9 on everything at the moment.
/usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --pre --nssdb=/etc/pki/nssdb
should do the trick.
HTH
bye, Sumit
Thanks, Steve
On Thu, Sep 28, 2017 at 12:43 PM, Sumit Bose sbose@redhat.com wrote:
On Thu, Sep 28, 2017 at 12:13:38PM -0400, Steve Weeks wrote:
In all cases on both system pam_unix comes before pam_sss. For example
in
Fedora system-auth it is:
On recent Fedora systems you should have
auth [default=1 success=ok] pam_localuser.so
before the lines below. This will call pam_unix only for users from /etc/passwd and skip the line it otherwise (default=1). Maybe something like this would help on Ubuntu as well?
bye, Sumit
auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass
and in Ubuntu common-auth it is:
auth [success=2 default=ignore] pam_unix.so nullok_secure auth [success=1 default=ignore] pam_sss.so use_first_pass
I tried reversing the lines and get a pam error about user not know (it
is
an AD user which works fine on fedora).
Also, it looks like pam_pkcs11.so is used in smartcard-auth on Fedora. Don't know if this is relevant or not.
Steve
On Thu, Sep 28, 2017 at 11:40 AM, Sumit Bose via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
On Thu, Sep 28, 2017 at 11:29:27AM -0400, Steve Weeks via FreeIPA-users wrote:
We have smartcards (PIV) working just fine on Fedora 25 with FreeIPA
client
version 4.4.4 (SSSD 1.14.2). However on Ubuntu 16.04, FreeIPA client 4.3.1, SSSD 1.13.4 the smartcard seems to be ignored.
The smartcard is readable using pkcs11-tools and pkcs15-tools on both systems.
On both systems sssd.conf contains: [pam] pam_cert_auth = True
I've turned the sssd logging up to 9 on both systems and it looks
like
p11_child is never called on the Ubuntu system. On the Ubuntu system p11_child.log is empty and there is no sign of it being started in
the
sssd_pam.log.
Any suggestions on what I should look at next?
How does your PAM configuration looks like? You have to make sure that pam_sss.so is the first module called for SSSD users. If pam_unix comes first it will ask for a Password and pass it on to pam_sss.so which
will
try password authentication in this case.
HTH
bye, Sumit
Thanks, Steve
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.
fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.
fedorahosted.org
That works, but it is only pre-auth mode. In --auth mode it fails, but I don't think that relevant since fails the same way on Fedora too.
The problems seems to be that on Ubuntu, --auth mode is never called. On Fedora p11_child is called twice. Once with --pre and then a second time with --auth. In the log you see:
$ egrep 'main|verified' p11_child.log (Thu Sep 28 14:23:19 2017) [[sssd[p11_child[15375]]]] [main] (0x0400): p11_child started. (Thu Sep 28 14:23:19 2017) [[sssd[p11_child[15375]]]] [main] (0x2000): Running in [pre-auth] mode. (Thu Sep 28 14:23:19 2017) [[sssd[p11_child[15375]]]] [main] (0x2000): Running with effective IDs: [0][0]. (Thu Sep 28 14:23:19 2017) [[sssd[p11_child[15375]]]] [main] (0x2000): Running with real IDs [0][0]. (Thu Sep 28 14:23:22 2017) [[sssd[p11_child[15378]]]] [main] (0x0400): p11_child started. (Thu Sep 28 14:23:22 2017) [[sssd[p11_child[15378]]]] [main] (0x2000): Running in [auth] mode. (Thu Sep 28 14:23:22 2017) [[sssd[p11_child[15378]]]] [main] (0x2000): Running with effective IDs: [0][0]. (Thu Sep 28 14:23:22 2017) [[sssd[p11_child[15378]]]] [main] (0x2000): Running with real IDs [0][0]. (Thu Sep 28 14:23:23 2017) [[sssd[p11_child[15378]]]] [do_work] (0x4000): Certificate verified and validated.
I've trimmed the log to what (I think) was interesting. I can send everything if you need it.
For Ubuntu, the log stops after the first invocation of p11_child and you never see the [auth] mode call. Otherwise the logs are the same.
Steve
On Fri, Sep 29, 2017 at 3:17 AM, Sumit Bose sbose@redhat.com wrote:
On Thu, Sep 28, 2017 at 02:35:55PM -0400, Steve Weeks wrote:
Progress, but still not using the smartcard and falling back to the password.
I changed to change the pam_sss line in common-auth too:
auth [default=1 success=ok] pam_localuser.so auth [success=2 default=ignore] pam_unix.so nullok_secure #auth [success=1 default=ignore] pam_sss.so use_first_pass auth sufficient pam_sss.so forward_pass
Now p11_child is called, but doesn't validate the certificate. On Fedora the final line in p11_child.log is "Ceritificate verified and validated". On Ubuntu that line is missing.
The root certificate is in the certdb. (certutil -d /etc/pki/nssdb -L).
Is there a way to do what p11_child does from the command line or with better logging so I can what it doesn't like? I have debug_level = 9 on everything at the moment.
/usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --pre--nssdb=/etc/pki/nssdb
should do the trick.
HTH
bye, Sumit
Thanks, Steve
On Thu, Sep 28, 2017 at 12:43 PM, Sumit Bose sbose@redhat.com wrote:
On Thu, Sep 28, 2017 at 12:13:38PM -0400, Steve Weeks wrote:
In all cases on both system pam_unix comes before pam_sss. For
example
in
Fedora system-auth it is:
On recent Fedora systems you should have
auth [default=1 success=ok] pam_localuser.so
before the lines below. This will call pam_unix only for users from /etc/passwd and skip the line it otherwise (default=1). Maybe something like this would help on Ubuntu as well?
bye, Sumit
auth [success=done ignore=ignore default=die] pam_unix.so
nullok
try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass
and in Ubuntu common-auth it is:
auth [success=2 default=ignore] pam_unix.so nullok_secure auth [success=1 default=ignore] pam_sss.so use_first_pass
I tried reversing the lines and get a pam error about user not know
(it
is
an AD user which works fine on fedora).
Also, it looks like pam_pkcs11.so is used in smartcard-auth on
Fedora.
Don't know if this is relevant or not.
Steve
On Thu, Sep 28, 2017 at 11:40 AM, Sumit Bose via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
On Thu, Sep 28, 2017 at 11:29:27AM -0400, Steve Weeks via
FreeIPA-users
wrote:
We have smartcards (PIV) working just fine on Fedora 25 with
FreeIPA
client
version 4.4.4 (SSSD 1.14.2). However on Ubuntu 16.04, FreeIPA
client
4.3.1, SSSD 1.13.4 the smartcard seems to be ignored.
The smartcard is readable using pkcs11-tools and pkcs15-tools on
both
systems.
On both systems sssd.conf contains: [pam] pam_cert_auth = True
I've turned the sssd logging up to 9 on both systems and it looks
like
p11_child is never called on the Ubuntu system. On the Ubuntu
system
p11_child.log is empty and there is no sign of it being started
in
the
sssd_pam.log.
Any suggestions on what I should look at next?
How does your PAM configuration looks like? You have to make sure
that
pam_sss.so is the first module called for SSSD users. If pam_unix
comes
first it will ask for a Password and pass it on to pam_sss.so which
will
try password authentication in this case.
HTH
bye, Sumit
Thanks, Steve
FreeIPA-users mailing list -- freeipa-users@lists.
fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.
fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.
fedorahosted.org
The problem is definitely in sss_pam. From the logs, it sounds like it can't get the certificate from the server.
p11_child works the same on both Fedora 25 and Ubuntu 16.04 in both pre-auth and auth mode. To run in auth mode, change the command line to:
echo PIN | /usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --nssdb=/etc/pki/nssdb --auth --pin
Running from the command line, both Fedora and Ubuntu return the same results in either mode.
On Ubuntu running a real login, auth mode is never called. The sssd_pam.log files are different. I've attached the full logs, but this is what seems to be the problem.
Fedora, which works fine:
[sss_dp_issue_request] (0x0400): Issuing request for [0x55e4aeaaa710:8:MIIHdjCCBV6gAwIBAgIT.. [sss_dp_get_account_msg] (0x0400): Creating request for [ipa.example.com][ *0x14][BE_REQ_BY_CERT*][1][cert=MIIHdjCCBV... [sss_dp_internal_get_send] (0x0400): Entering request [0x55e4aeaaa710:8:MIIHdjCCBV6gA....... [cache_req_cache_search] (0x0040): Cache Request [User by certificate #0]: Cannot find info for [CERT:S/kgorJq32@ipa.example.com] [child_sig_handler] (0x1000): Waiting for child [5701]. [child_sig_handler] (0x0100): child [5701] finished successfully. [sbus_remove_timeout] (0x2000): 0x55e4afa97210 [sbus_dispatch] (0x4000): dbus conn: 0x55e4afa9e7d0 [sbus_dispatch] (0x4000): Dispatching. [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success
The same sequence in Ubuntu has a different call parameter and seems to fail:
[sss_dp_issue_request] (0x0400): Issuing request for [0x410090:8:MIIHdjCCBV6... [sss_dp_get_account_msg] (0x0400): Creating request for [ipa.example.com][*0x1014][FAST BE_REQ_BY_CERT*][1][cert=MIIHdjCCBV6gAw... [sbus_add_timeout] (0x2000): 0xc46200 [sss_dp_internal_get_send] (0x0400): Entering request [0x410090:8:MIIHdjCCBV6g..... [child_sig_handler] (0x1000): Waiting for child [9758]. [child_sig_handler] (0x0100): child [9758] finished successfully. [sbus_remove_timeout] (0x2000): 0xc46200 [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: 0xc1a220 [sbus_dispatch] (0x4000): Dispatching. [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 3 errno: 0 error message: Account info lookup failed
Fedora is running sssd 1.14.2 and Ubuntu is running 1.13.4. The user is from an AD trust. Both systems are attached to the same IPA server.
Is there some configuration change that will make the Ubuntu system behave like the Fedora system? I'd really like to use the standard Ubuntu distribution.
Thanks, Steve
On Fri, Sep 29, 2017 at 11:17 AM, Steve Weeks nbxsteve@gmail.com wrote:
That works, but it is only pre-auth mode. In --auth mode it fails, but I don't think that relevant since fails the same way on Fedora too.
The problems seems to be that on Ubuntu, --auth mode is never called. On Fedora p11_child is called twice. Once with --pre and then a second time with --auth. In the log you see:
$ egrep 'main|verified' p11_child.log (Thu Sep 28 14:23:19 2017) [[sssd[p11_child[15375]]]] [main] (0x0400): p11_child started. (Thu Sep 28 14:23:19 2017) [[sssd[p11_child[15375]]]] [main] (0x2000): Running in [pre-auth] mode. (Thu Sep 28 14:23:19 2017) [[sssd[p11_child[15375]]]] [main] (0x2000): Running with effective IDs: [0][0]. (Thu Sep 28 14:23:19 2017) [[sssd[p11_child[15375]]]] [main] (0x2000): Running with real IDs [0][0]. (Thu Sep 28 14:23:22 2017) [[sssd[p11_child[15378]]]] [main] (0x0400): p11_child started. (Thu Sep 28 14:23:22 2017) [[sssd[p11_child[15378]]]] [main] (0x2000): Running in [auth] mode. (Thu Sep 28 14:23:22 2017) [[sssd[p11_child[15378]]]] [main] (0x2000): Running with effective IDs: [0][0]. (Thu Sep 28 14:23:22 2017) [[sssd[p11_child[15378]]]] [main] (0x2000): Running with real IDs [0][0]. (Thu Sep 28 14:23:23 2017) [[sssd[p11_child[15378]]]] [do_work] (0x4000): Certificate verified and validated.
I've trimmed the log to what (I think) was interesting. I can send everything if you need it.
For Ubuntu, the log stops after the first invocation of p11_child and you never see the [auth] mode call. Otherwise the logs are the same.
Steve
On Fri, Sep 29, 2017 at 3:17 AM, Sumit Bose sbose@redhat.com wrote:
On Thu, Sep 28, 2017 at 02:35:55PM -0400, Steve Weeks wrote:
Progress, but still not using the smartcard and falling back to the password.
I changed to change the pam_sss line in common-auth too:
auth [default=1 success=ok] pam_localuser.so auth [success=2 default=ignore] pam_unix.so nullok_secure #auth [success=1 default=ignore] pam_sss.so use_first_pass auth sufficient pam_sss.so forward_pass
Now p11_child is called, but doesn't validate the certificate. On
Fedora
the final line in p11_child.log is "Ceritificate verified and
validated".
On Ubuntu that line is missing.
The root certificate is in the certdb. (certutil -d /etc/pki/nssdb -L).
Is there a way to do what p11_child does from the command line or with better logging so I can what it doesn't like? I have debug_level = 9 on everything at the moment.
/usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --pre--nssdb=/etc/pki/nssdb
should do the trick.
HTH
bye, Sumit
Thanks, Steve
On Thu, Sep 28, 2017 at 12:43 PM, Sumit Bose sbose@redhat.com wrote:
On Thu, Sep 28, 2017 at 12:13:38PM -0400, Steve Weeks wrote:
In all cases on both system pam_unix comes before pam_sss. For
example
in
Fedora system-auth it is:
On recent Fedora systems you should have
auth [default=1 success=ok] pam_localuser.so
before the lines below. This will call pam_unix only for users from /etc/passwd and skip the line it otherwise (default=1). Maybe
something
like this would help on Ubuntu as well?
bye, Sumit
auth [success=done ignore=ignore default=die] pam_unix.so
nullok
try_first_pass auth requisite pam_succeed_if.so uid >= 1000
quiet_success
auth sufficient pam_sss.so forward_pass
and in Ubuntu common-auth it is:
auth [success=2 default=ignore] pam_unix.so nullok_secure auth [success=1 default=ignore] pam_sss.so use_first_pass
I tried reversing the lines and get a pam error about user not know
(it
is
an AD user which works fine on fedora).
Also, it looks like pam_pkcs11.so is used in smartcard-auth on
Fedora.
Don't know if this is relevant or not.
Steve
On Thu, Sep 28, 2017 at 11:40 AM, Sumit Bose via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
On Thu, Sep 28, 2017 at 11:29:27AM -0400, Steve Weeks via
FreeIPA-users
wrote: > We have smartcards (PIV) working just fine on Fedora 25 with
FreeIPA
client > version 4.4.4 (SSSD 1.14.2). However on Ubuntu 16.04, FreeIPA
client
> 4.3.1, SSSD 1.13.4 the smartcard seems to be ignored. > > The smartcard is readable using pkcs11-tools and pkcs15-tools
on both
> systems. > > On both systems sssd.conf contains: > [pam] > pam_cert_auth = True > > I've turned the sssd logging up to 9 on both systems and it
looks
like
> p11_child is never called on the Ubuntu system. On the Ubuntu
system
> p11_child.log is empty and there is no sign of it being started
in
the
> sssd_pam.log. > > Any suggestions on what I should look at next?
How does your PAM configuration looks like? You have to make sure
that
pam_sss.so is the first module called for SSSD users. If pam_unix
comes
first it will ask for a Password and pass it on to pam_sss.so
which
will
try password authentication in this case.
HTH
bye, Sumit
> > Thanks, > Steve
> _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahost
ed.org
> To unsubscribe send an email to freeipa-users-leave@lists. fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahost
ed.org
To unsubscribe send an email to freeipa-users-leave@lists.
fedorahosted.org
On Thu, Oct 05, 2017 at 02:14:57PM -0400, Steve Weeks wrote:
The problem is definitely in sss_pam. From the logs, it sounds like it can't get the certificate from the server.
p11_child works the same on both Fedora 25 and Ubuntu 16.04 in both pre-auth and auth mode. To run in auth mode, change the command line to:
echo PIN | /usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --nssdb=/etc/pki/nssdb --auth --pin
Running from the command line, both Fedora and Ubuntu return the same results in either mode.
On Ubuntu running a real login, auth mode is never called. The sssd_pam.log files are different. I've attached the full logs, but this is what seems to be the problem.
Fedora, which works fine:
[sss_dp_issue_request] (0x0400): Issuing request for [0x55e4aeaaa710:8:MIIHdjCCBV6gAwIBAgIT.. [sss_dp_get_account_msg] (0x0400): Creating request for [ipa.example.com][ *0x14][BE_REQ_BY_CERT*][1][cert=MIIHdjCCBV... [sss_dp_internal_get_send] (0x0400): Entering request [0x55e4aeaaa710:8:MIIHdjCCBV6gA....... [cache_req_cache_search] (0x0040): Cache Request [User by certificate #0]: Cannot find info for [CERT:S/kgorJq32@ipa.example.com] [child_sig_handler] (0x1000): Waiting for child [5701]. [child_sig_handler] (0x0100): child [5701] finished successfully. [sbus_remove_timeout] (0x2000): 0x55e4afa97210 [sbus_dispatch] (0x4000): dbus conn: 0x55e4afa9e7d0 [sbus_dispatch] (0x4000): Dispatching. [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success
The same sequence in Ubuntu has a different call parameter and seems to fail:
[sss_dp_issue_request] (0x0400): Issuing request for [0x410090:8:MIIHdjCCBV6... [sss_dp_get_account_msg] (0x0400): Creating request for [ipa.example.com][*0x1014][FAST BE_REQ_BY_CERT*][1][cert=MIIHdjCCBV6gAw... [sbus_add_timeout] (0x2000): 0xc46200 [sss_dp_internal_get_send] (0x0400): Entering request [0x410090:8:MIIHdjCCBV6g..... [child_sig_handler] (0x1000): Waiting for child [9758]. [child_sig_handler] (0x0100): child [9758] finished successfully. [sbus_remove_timeout] (0x2000): 0xc46200 [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: 0xc1a220 [sbus_dispatch] (0x4000): Dispatching. [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 3 errno: 0 error message: Account info lookup failed
Fedora is running sssd 1.14.2 and Ubuntu is running 1.13.4. The user is from an AD trust. Both systems are attached to the same IPA server.
How did you map the certificate to the AD users? Did you create an idoverride for the AD user and add the certificate to the override? Unfortunately this is only supported since sssd-1.14.
bye, Sumit
Is there some configuration change that will make the Ubuntu system behave like the Fedora system? I'd really like to use the standard Ubuntu distribution.
Thanks, Steve
On Fri, Sep 29, 2017 at 11:17 AM, Steve Weeks nbxsteve@gmail.com wrote:
That works, but it is only pre-auth mode. In --auth mode it fails, but I don't think that relevant since fails the same way on Fedora too.
The problems seems to be that on Ubuntu, --auth mode is never called. On Fedora p11_child is called twice. Once with --pre and then a second time with --auth. In the log you see:
$ egrep 'main|verified' p11_child.log (Thu Sep 28 14:23:19 2017) [[sssd[p11_child[15375]]]] [main] (0x0400): p11_child started. (Thu Sep 28 14:23:19 2017) [[sssd[p11_child[15375]]]] [main] (0x2000): Running in [pre-auth] mode. (Thu Sep 28 14:23:19 2017) [[sssd[p11_child[15375]]]] [main] (0x2000): Running with effective IDs: [0][0]. (Thu Sep 28 14:23:19 2017) [[sssd[p11_child[15375]]]] [main] (0x2000): Running with real IDs [0][0]. (Thu Sep 28 14:23:22 2017) [[sssd[p11_child[15378]]]] [main] (0x0400): p11_child started. (Thu Sep 28 14:23:22 2017) [[sssd[p11_child[15378]]]] [main] (0x2000): Running in [auth] mode. (Thu Sep 28 14:23:22 2017) [[sssd[p11_child[15378]]]] [main] (0x2000): Running with effective IDs: [0][0]. (Thu Sep 28 14:23:22 2017) [[sssd[p11_child[15378]]]] [main] (0x2000): Running with real IDs [0][0]. (Thu Sep 28 14:23:23 2017) [[sssd[p11_child[15378]]]] [do_work] (0x4000): Certificate verified and validated.
I've trimmed the log to what (I think) was interesting. I can send everything if you need it.
For Ubuntu, the log stops after the first invocation of p11_child and you never see the [auth] mode call. Otherwise the logs are the same.
Steve
On Fri, Sep 29, 2017 at 3:17 AM, Sumit Bose sbose@redhat.com wrote:
On Thu, Sep 28, 2017 at 02:35:55PM -0400, Steve Weeks wrote:
Progress, but still not using the smartcard and falling back to the password.
I changed to change the pam_sss line in common-auth too:
auth [default=1 success=ok] pam_localuser.so auth [success=2 default=ignore] pam_unix.so nullok_secure #auth [success=1 default=ignore] pam_sss.so use_first_pass auth sufficient pam_sss.so forward_pass
Now p11_child is called, but doesn't validate the certificate. On
Fedora
the final line in p11_child.log is "Ceritificate verified and
validated".
On Ubuntu that line is missing.
The root certificate is in the certdb. (certutil -d /etc/pki/nssdb -L).
Is there a way to do what p11_child does from the command line or with better logging so I can what it doesn't like? I have debug_level = 9 on everything at the moment.
/usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --pre--nssdb=/etc/pki/nssdb
should do the trick.
HTH
bye, Sumit
Thanks, Steve
On Thu, Sep 28, 2017 at 12:43 PM, Sumit Bose sbose@redhat.com wrote:
On Thu, Sep 28, 2017 at 12:13:38PM -0400, Steve Weeks wrote:
In all cases on both system pam_unix comes before pam_sss. For
example
in
Fedora system-auth it is:
On recent Fedora systems you should have
auth [default=1 success=ok] pam_localuser.so
before the lines below. This will call pam_unix only for users from /etc/passwd and skip the line it otherwise (default=1). Maybe
something
like this would help on Ubuntu as well?
bye, Sumit
auth [success=done ignore=ignore default=die] pam_unix.so
nullok
try_first_pass auth requisite pam_succeed_if.so uid >= 1000
quiet_success
auth sufficient pam_sss.so forward_pass
and in Ubuntu common-auth it is:
auth [success=2 default=ignore] pam_unix.so nullok_secure auth [success=1 default=ignore] pam_sss.so use_first_pass
I tried reversing the lines and get a pam error about user not know
(it
is
an AD user which works fine on fedora).
Also, it looks like pam_pkcs11.so is used in smartcard-auth on
Fedora.
Don't know if this is relevant or not.
Steve
On Thu, Sep 28, 2017 at 11:40 AM, Sumit Bose via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
> On Thu, Sep 28, 2017 at 11:29:27AM -0400, Steve Weeks via
FreeIPA-users
> wrote: > > We have smartcards (PIV) working just fine on Fedora 25 with
FreeIPA
> client > > version 4.4.4 (SSSD 1.14.2). However on Ubuntu 16.04, FreeIPA
client
> > 4.3.1, SSSD 1.13.4 the smartcard seems to be ignored. > > > > The smartcard is readable using pkcs11-tools and pkcs15-tools
on both
> > systems. > > > > On both systems sssd.conf contains: > > [pam] > > pam_cert_auth = True > > > > I've turned the sssd logging up to 9 on both systems and it
looks
like
> > p11_child is never called on the Ubuntu system. On the Ubuntu
system
> > p11_child.log is empty and there is no sign of it being started
in
the
> > sssd_pam.log. > > > > Any suggestions on what I should look at next? > > How does your PAM configuration looks like? You have to make sure
that
> pam_sss.so is the first module called for SSSD users. If pam_unix
comes
> first it will ask for a Password and pass it on to pam_sss.so
which
will
> try password authentication in this case. > > HTH > > bye, > Sumit > > > > > Thanks, > > Steve > > > _______________________________________________ > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahost
ed.org
> > To unsubscribe send an email to freeipa-users-leave@lists. > fedorahosted.org > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahost
ed.org
> To unsubscribe send an email to freeipa-users-leave@lists.
fedorahosted.org
>
No. The user is just in a group that is mapped between AD and IPA. Pretty vanilla, just like the examples.
Steve
On Thu, Oct 5, 2017 at 2:47 PM, Sumit Bose sbose@redhat.com wrote:
On Thu, Oct 05, 2017 at 02:14:57PM -0400, Steve Weeks wrote:
The problem is definitely in sss_pam. From the logs, it sounds like it can't get the certificate from the server.
p11_child works the same on both Fedora 25 and Ubuntu 16.04 in both pre-auth and auth mode. To run in auth mode, change the command line to:
echo PIN | /usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --nssdb=/etc/pki/nssdb --auth --pin
Running from the command line, both Fedora and Ubuntu return the same results in either mode.
On Ubuntu running a real login, auth mode is never called. The sssd_pam.log files are different. I've attached the full logs, but this
is
what seems to be the problem.
Fedora, which works fine:
[sss_dp_issue_request] (0x0400): Issuing request for [0x55e4aeaaa710:8:MIIHdjCCBV6gAwIBAgIT.. [sss_dp_get_account_msg] (0x0400): Creating request for [ipa.example.com
][
*0x14][BE_REQ_BY_CERT*][1][cert=MIIHdjCCBV... [sss_dp_internal_get_send] (0x0400): Entering request [0x55e4aeaaa710:8:MIIHdjCCBV6gA....... [cache_req_cache_search] (0x0040): Cache Request [User by certificate
#0]:
Cannot find info for [CERT:S/kgorJq32@ipa.example.com] [child_sig_handler] (0x1000): Waiting for child [5701]. [child_sig_handler] (0x0100): child [5701] finished successfully. [sbus_remove_timeout] (0x2000): 0x55e4afa97210 [sbus_dispatch] (0x4000): dbus conn: 0x55e4afa9e7d0 [sbus_dispatch] (0x4000): Dispatching. [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error
code:
0 errno: 0 error message: Success
The same sequence in Ubuntu has a different call parameter and seems to fail:
[sss_dp_issue_request] (0x0400): Issuing request for [0x410090:8:MIIHdjCCBV6... [sss_dp_get_account_msg] (0x0400): Creating request for [ipa.example.com][*0x1014][FAST BE_REQ_BY_CERT*][1][cert=MIIHdjCCBV6gAw... [sbus_add_timeout] (0x2000): 0xc46200 [sss_dp_internal_get_send] (0x0400): Entering request [0x410090:8:MIIHdjCCBV6g..... [child_sig_handler] (0x1000): Waiting for child [9758]. [child_sig_handler] (0x0100): child [9758] finished successfully. [sbus_remove_timeout] (0x2000): 0xc46200 [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: 0xc1a220 [sbus_dispatch] (0x4000): Dispatching. [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error
code:
3 errno: 0 error message: Account info lookup failed
Fedora is running sssd 1.14.2 and Ubuntu is running 1.13.4. The user is from an AD trust. Both systems are attached to the same IPA server.
How did you map the certificate to the AD users? Did you create an idoverride for the AD user and add the certificate to the override? Unfortunately this is only supported since sssd-1.14.
bye, Sumit
Is there some configuration change that will make the Ubuntu system
behave
like the Fedora system? I'd really like to use the standard Ubuntu distribution.
Thanks, Steve
On Fri, Sep 29, 2017 at 11:17 AM, Steve Weeks nbxsteve@gmail.com
wrote:
That works, but it is only pre-auth mode. In --auth mode it fails,
but I
don't think that relevant since fails the same way on Fedora too.
The problems seems to be that on Ubuntu, --auth mode is never called.
On
Fedora p11_child is called twice. Once with --pre and then a second
time
with --auth. In the log you see:
$ egrep 'main|verified' p11_child.log (Thu Sep 28 14:23:19 2017) [[sssd[p11_child[15375]]]] [main] (0x0400): p11_child started. (Thu Sep 28 14:23:19 2017) [[sssd[p11_child[15375]]]] [main] (0x2000): Running in [pre-auth] mode. (Thu Sep 28 14:23:19 2017) [[sssd[p11_child[15375]]]] [main] (0x2000): Running with effective IDs: [0][0]. (Thu Sep 28 14:23:19 2017) [[sssd[p11_child[15375]]]] [main] (0x2000): Running with real IDs [0][0]. (Thu Sep 28 14:23:22 2017) [[sssd[p11_child[15378]]]] [main] (0x0400): p11_child started. (Thu Sep 28 14:23:22 2017) [[sssd[p11_child[15378]]]] [main] (0x2000): Running in [auth] mode. (Thu Sep 28 14:23:22 2017) [[sssd[p11_child[15378]]]] [main] (0x2000): Running with effective IDs: [0][0]. (Thu Sep 28 14:23:22 2017) [[sssd[p11_child[15378]]]] [main] (0x2000): Running with real IDs [0][0]. (Thu Sep 28 14:23:23 2017) [[sssd[p11_child[15378]]]] [do_work]
(0x4000):
Certificate verified and validated.
I've trimmed the log to what (I think) was interesting. I can send everything if you need it.
For Ubuntu, the log stops after the first invocation of p11_child and
you
never see the [auth] mode call. Otherwise the logs are the same.
Steve
On Fri, Sep 29, 2017 at 3:17 AM, Sumit Bose sbose@redhat.com wrote:
On Thu, Sep 28, 2017 at 02:35:55PM -0400, Steve Weeks wrote:
Progress, but still not using the smartcard and falling back to the password.
I changed to change the pam_sss line in common-auth too:
auth [default=1 success=ok] pam_localuser.so auth [success=2 default=ignore] pam_unix.so nullok_secure #auth [success=1 default=ignore] pam_sss.so use_first_pass auth sufficient pam_sss.so forward_pass
Now p11_child is called, but doesn't validate the certificate. On
Fedora
the final line in p11_child.log is "Ceritificate verified and
validated".
On Ubuntu that line is missing.
The root certificate is in the certdb. (certutil -d /etc/pki/nssdb
-L).
Is there a way to do what p11_child does from the command line or
with
better logging so I can what it doesn't like? I have debug_level =
9 on
everything at the moment.
/usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --pre--nssdb=/etc/pki/nssdb
should do the trick.
HTH
bye, Sumit
Thanks, Steve
On Thu, Sep 28, 2017 at 12:43 PM, Sumit Bose sbose@redhat.com
wrote:
On Thu, Sep 28, 2017 at 12:13:38PM -0400, Steve Weeks wrote: > In all cases on both system pam_unix comes before pam_sss. For
example
in > Fedora system-auth it is:
On recent Fedora systems you should have
auth [default=1 success=ok] pam_localuser.so
before the lines below. This will call pam_unix only for users
from
/etc/passwd and skip the line it otherwise (default=1). Maybe
something
like this would help on Ubuntu as well?
bye, Sumit
> > auth [success=done ignore=ignore default=die] pam_unix.so
nullok
> try_first_pass > auth requisite pam_succeed_if.so uid >= 1000
quiet_success
> auth sufficient pam_sss.so forward_pass > > and in Ubuntu common-auth it is: > > auth [success=2 default=ignore] pam_unix.so nullok_secure > auth [success=1 default=ignore] pam_sss.so use_first_pass > > I tried reversing the lines and get a pam error about user not
know
(it
is > an AD user which works fine on fedora). > > Also, it looks like pam_pkcs11.so is used in smartcard-auth on
Fedora.
> Don't know if this is relevant or not. > > Steve > > > On Thu, Sep 28, 2017 at 11:40 AM, Sumit Bose via FreeIPA-users < > freeipa-users@lists.fedorahosted.org> wrote: > > > On Thu, Sep 28, 2017 at 11:29:27AM -0400, Steve Weeks via
FreeIPA-users
> > wrote: > > > We have smartcards (PIV) working just fine on Fedora 25 with
FreeIPA
> > client > > > version 4.4.4 (SSSD 1.14.2). However on Ubuntu 16.04,
FreeIPA
client
> > > 4.3.1, SSSD 1.13.4 the smartcard seems to be ignored. > > > > > > The smartcard is readable using pkcs11-tools and
pkcs15-tools
on both
> > > systems. > > > > > > On both systems sssd.conf contains: > > > [pam] > > > pam_cert_auth = True > > > > > > I've turned the sssd logging up to 9 on both systems and it
looks
like > > > p11_child is never called on the Ubuntu system. On the
Ubuntu
system
> > > p11_child.log is empty and there is no sign of it being
started
in
the > > > sssd_pam.log. > > > > > > Any suggestions on what I should look at next? > > > > How does your PAM configuration looks like? You have to make
sure
that
> > pam_sss.so is the first module called for SSSD users. If
pam_unix
comes
> > first it will ask for a Password and pass it on to pam_sss.so
which
will > > try password authentication in this case. > > > > HTH > > > > bye, > > Sumit > > > > > > > > Thanks, > > > Steve > > > > > _______________________________________________ > > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahost
ed.org
> > > To unsubscribe send an email to freeipa-users-leave@lists. > > fedorahosted.org > > _______________________________________________ > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahost
ed.org
> > To unsubscribe send an email to freeipa-users-leave@lists. fedorahosted.org > >
On Thu, Oct 05, 2017 at 02:55:19PM -0400, Steve Weeks wrote:
No. The user is just in a group that is mapped between AD and IPA. Pretty vanilla, just like the examples.
But this is not related to Smartcard authentication. Can you send me the fully sssd_your.domain.log files from Fedora and Ubuntu with debug_level=10 in the [domain/...] section of sssd.conf? Feel free to send them to me directly if you do not want to share them on the list.
bye, Sumit
Steve
On Thu, Oct 5, 2017 at 2:47 PM, Sumit Bose sbose@redhat.com wrote:
On Thu, Oct 05, 2017 at 02:14:57PM -0400, Steve Weeks wrote:
The problem is definitely in sss_pam. From the logs, it sounds like it can't get the certificate from the server.
p11_child works the same on both Fedora 25 and Ubuntu 16.04 in both pre-auth and auth mode. To run in auth mode, change the command line to:
echo PIN | /usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --nssdb=/etc/pki/nssdb --auth --pin
Running from the command line, both Fedora and Ubuntu return the same results in either mode.
On Ubuntu running a real login, auth mode is never called. The sssd_pam.log files are different. I've attached the full logs, but this
is
what seems to be the problem.
Fedora, which works fine:
[sss_dp_issue_request] (0x0400): Issuing request for [0x55e4aeaaa710:8:MIIHdjCCBV6gAwIBAgIT.. [sss_dp_get_account_msg] (0x0400): Creating request for [ipa.example.com
][
*0x14][BE_REQ_BY_CERT*][1][cert=MIIHdjCCBV... [sss_dp_internal_get_send] (0x0400): Entering request [0x55e4aeaaa710:8:MIIHdjCCBV6gA....... [cache_req_cache_search] (0x0040): Cache Request [User by certificate
#0]:
Cannot find info for [CERT:S/kgorJq32@ipa.example.com] [child_sig_handler] (0x1000): Waiting for child [5701]. [child_sig_handler] (0x0100): child [5701] finished successfully. [sbus_remove_timeout] (0x2000): 0x55e4afa97210 [sbus_dispatch] (0x4000): dbus conn: 0x55e4afa9e7d0 [sbus_dispatch] (0x4000): Dispatching. [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error
code:
0 errno: 0 error message: Success
The same sequence in Ubuntu has a different call parameter and seems to fail:
[sss_dp_issue_request] (0x0400): Issuing request for [0x410090:8:MIIHdjCCBV6... [sss_dp_get_account_msg] (0x0400): Creating request for [ipa.example.com][*0x1014][FAST BE_REQ_BY_CERT*][1][cert=MIIHdjCCBV6gAw... [sbus_add_timeout] (0x2000): 0xc46200 [sss_dp_internal_get_send] (0x0400): Entering request [0x410090:8:MIIHdjCCBV6g..... [child_sig_handler] (0x1000): Waiting for child [9758]. [child_sig_handler] (0x0100): child [9758] finished successfully. [sbus_remove_timeout] (0x2000): 0xc46200 [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: 0xc1a220 [sbus_dispatch] (0x4000): Dispatching. [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error
code:
3 errno: 0 error message: Account info lookup failed
Fedora is running sssd 1.14.2 and Ubuntu is running 1.13.4. The user is from an AD trust. Both systems are attached to the same IPA server.
How did you map the certificate to the AD users? Did you create an idoverride for the AD user and add the certificate to the override? Unfortunately this is only supported since sssd-1.14.
bye, Sumit
Is there some configuration change that will make the Ubuntu system
behave
like the Fedora system? I'd really like to use the standard Ubuntu distribution.
Thanks, Steve
On Fri, Sep 29, 2017 at 11:17 AM, Steve Weeks nbxsteve@gmail.com
wrote:
That works, but it is only pre-auth mode. In --auth mode it fails,
but I
don't think that relevant since fails the same way on Fedora too.
The problems seems to be that on Ubuntu, --auth mode is never called.
On
Fedora p11_child is called twice. Once with --pre and then a second
time
with --auth. In the log you see:
$ egrep 'main|verified' p11_child.log (Thu Sep 28 14:23:19 2017) [[sssd[p11_child[15375]]]] [main] (0x0400): p11_child started. (Thu Sep 28 14:23:19 2017) [[sssd[p11_child[15375]]]] [main] (0x2000): Running in [pre-auth] mode. (Thu Sep 28 14:23:19 2017) [[sssd[p11_child[15375]]]] [main] (0x2000): Running with effective IDs: [0][0]. (Thu Sep 28 14:23:19 2017) [[sssd[p11_child[15375]]]] [main] (0x2000): Running with real IDs [0][0]. (Thu Sep 28 14:23:22 2017) [[sssd[p11_child[15378]]]] [main] (0x0400): p11_child started. (Thu Sep 28 14:23:22 2017) [[sssd[p11_child[15378]]]] [main] (0x2000): Running in [auth] mode. (Thu Sep 28 14:23:22 2017) [[sssd[p11_child[15378]]]] [main] (0x2000): Running with effective IDs: [0][0]. (Thu Sep 28 14:23:22 2017) [[sssd[p11_child[15378]]]] [main] (0x2000): Running with real IDs [0][0]. (Thu Sep 28 14:23:23 2017) [[sssd[p11_child[15378]]]] [do_work]
(0x4000):
Certificate verified and validated.
I've trimmed the log to what (I think) was interesting. I can send everything if you need it.
For Ubuntu, the log stops after the first invocation of p11_child and
you
never see the [auth] mode call. Otherwise the logs are the same.
Steve
On Fri, Sep 29, 2017 at 3:17 AM, Sumit Bose sbose@redhat.com wrote:
On Thu, Sep 28, 2017 at 02:35:55PM -0400, Steve Weeks wrote:
Progress, but still not using the smartcard and falling back to the password.
I changed to change the pam_sss line in common-auth too:
auth [default=1 success=ok] pam_localuser.so auth [success=2 default=ignore] pam_unix.so nullok_secure #auth [success=1 default=ignore] pam_sss.so use_first_pass auth sufficient pam_sss.so forward_pass
Now p11_child is called, but doesn't validate the certificate. On
Fedora
the final line in p11_child.log is "Ceritificate verified and
validated".
On Ubuntu that line is missing.
The root certificate is in the certdb. (certutil -d /etc/pki/nssdb
-L).
Is there a way to do what p11_child does from the command line or
with
better logging so I can what it doesn't like? I have debug_level =
9 on
everything at the moment.
/usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --pre--nssdb=/etc/pki/nssdb
should do the trick.
HTH
bye, Sumit
Thanks, Steve
On Thu, Sep 28, 2017 at 12:43 PM, Sumit Bose sbose@redhat.com
wrote:
> On Thu, Sep 28, 2017 at 12:13:38PM -0400, Steve Weeks wrote: > > In all cases on both system pam_unix comes before pam_sss. For
example
> in > > Fedora system-auth it is: > > On recent Fedora systems you should have > > auth [default=1 success=ok] pam_localuser.so > > before the lines below. This will call pam_unix only for users
from
> /etc/passwd and skip the line it otherwise (default=1). Maybe
something
> like this would help on Ubuntu as well? > > bye, > Sumit > > > > > auth [success=done ignore=ignore default=die] pam_unix.so
nullok
> > try_first_pass > > auth requisite pam_succeed_if.so uid >= 1000
quiet_success
> > auth sufficient pam_sss.so forward_pass > > > > and in Ubuntu common-auth it is: > > > > auth [success=2 default=ignore] pam_unix.so nullok_secure > > auth [success=1 default=ignore] pam_sss.so use_first_pass > > > > I tried reversing the lines and get a pam error about user not
know
(it
> is > > an AD user which works fine on fedora). > > > > Also, it looks like pam_pkcs11.so is used in smartcard-auth on
Fedora.
> > Don't know if this is relevant or not. > > > > Steve > > > > > > On Thu, Sep 28, 2017 at 11:40 AM, Sumit Bose via FreeIPA-users < > > freeipa-users@lists.fedorahosted.org> wrote: > > > > > On Thu, Sep 28, 2017 at 11:29:27AM -0400, Steve Weeks via
FreeIPA-users
> > > wrote: > > > > We have smartcards (PIV) working just fine on Fedora 25 with
FreeIPA
> > > client > > > > version 4.4.4 (SSSD 1.14.2). However on Ubuntu 16.04,
FreeIPA
client
> > > > 4.3.1, SSSD 1.13.4 the smartcard seems to be ignored. > > > > > > > > The smartcard is readable using pkcs11-tools and
pkcs15-tools
on both
> > > > systems. > > > > > > > > On both systems sssd.conf contains: > > > > [pam] > > > > pam_cert_auth = True > > > > > > > > I've turned the sssd logging up to 9 on both systems and it
looks
> like > > > > p11_child is never called on the Ubuntu system. On the
Ubuntu
system
> > > > p11_child.log is empty and there is no sign of it being
started
in
> the > > > > sssd_pam.log. > > > > > > > > Any suggestions on what I should look at next? > > > > > > How does your PAM configuration looks like? You have to make
sure
that
> > > pam_sss.so is the first module called for SSSD users. If
pam_unix
comes
> > > first it will ask for a Password and pass it on to pam_sss.so
which
> will > > > try password authentication in this case. > > > > > > HTH > > > > > > bye, > > > Sumit > > > > > > > > > > > Thanks, > > > > Steve > > > > > > > _______________________________________________ > > > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahost
ed.org
> > > > To unsubscribe send an email to freeipa-users-leave@lists. > > > fedorahosted.org > > > _______________________________________________ > > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahost
ed.org
> > > To unsubscribe send an email to freeipa-users-leave@lists. > fedorahosted.org > > > >
freeipa-users@lists.fedorahosted.org
-
Steve Weeks -
Sumit Bose