On Thu, Apr 27, 2017 at 03:27:47PM -0000, tallinn1960@yahoo.de wrote:
Thank you, EKU clientAuth was missing, including it got p11_child working.
However still no luck with using the key with sssd and pkinit. kinit works fine with the key, but login (tty and lightdm) never asks for the pin. Instead it ask for a password two times and accepts the second as a local user-no-kerberos-login, when the key is plugged in, and only one time when the key is not plugged in, giving me a kerberos login with ticket.
You most probably have to tweak your PAM configuration. In Fedora some thing like
auth required pam_env.so auth [default=1 success=ok] pam_localuser.so auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass auth required pam_deny.so
is used. The pam_localuser line makes sure pam_unix (which can only ask for a password) is only used for local user and pam_sss can prompt for SSSD users.
Additionally you might need to call
touch /var/lib/sss/pubconf/pam_preauth_available
to enable an additional round-trip between pam_sss and SSSD to check which authentication methods are available for the user so that pam_sss can prompt accordingly. Since this round-trip adds some time to the login process it is not activated by default.
HTH
bye, Sumit
I looked into the code and did some debugging and found that krb5_child signals SSS_CERT_AUTH_PROMPTING (code 12) to pam_sss, which it does not know how to handle. But I may be totally mistaken here. And anyway without clue. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org