I am struggling to get smartcard authentication working on RHEL7, using sssd-1.16.4-21.el7 and krb5 PKINIT against Microsoft Active Directory KDCs.
Has anyone actually gotten this working? If so, what behavior differences do you see from various login mechanisms (gdm, login, et. al.)?
Because I see *no* visual differences in any login mechanism. gdm, login, et. al. prompt for a username/password, exactly as before. Both after I enter the username, and after I enter the PIN (at the "password" prompt), there is a delay while sssd pokes at the card. I can also tell this from watching the light on the card reader blink. But then the login fails.
I mean, these documents:
https://docs.pagure.org/SSSD.sssd/design_pages/smartcard_authentication_pkin... https://docs.pagure.org/SSSD.sssd/design_pages/smartcard_multiple_certificat...
…make it sound like the gdm login screen should prompt me to insert a smartcard, or least differentiate *somehow* that smartcard authentication is in play. Both features claim to be implemented in sssd-1.16.4-21.el7. But I see nothing that indicates these features are working.
If it's really the case that we have to train our users to type their username into the "username" prompt and enter their smartcard PIN into the "password" prompt, we can do that, but that doesn't seem to be how it's supposed to work based on the above documents. And that's going to seem completely horrible to users in contrast to how Windows works, where you walk up, insert your smartcard, and the login screen identifies you and then prompts for your PIN.
I mean, I get it that /usr/bin/login running on a virtual console can't engage in a nifty interactive dialog like Windows does. But is really the case that gdm is that dumb with smartcards as well?
Or am I misunderstanding how gdm+sssd+smartcard+PKINIT is supposed to work?
I can supply (somewhat redacted) configuration files if need be, but I have everything set correctly that I know to set:
* krb5.conf is configured correctly; I can kinit using the smartcard+PIN.
* We use pam_sss.so in all of (password-auth, system-auth, smartcard-auth), so no matter how a program enters the PAM stack, it should get pam_sss.so and PKINIT.
* I touched /var/lib/sss/pubconf/pam_preauth_available into existence and restarted sssd.
* I set enable-smartcard-authentication to true in dconf (for org.gnome.login-screen).
* I set "pam_cert_auth = true" in the [domain/example.org] section of /etc/sssd/sssd.conf.
* I extracted the correct certificate from my smartcard (the one that krb5.conf is configured to find) and added it to my userCertificate attribute in Active Directory.
* I even populated /etc/pki/nssdb with all of the same certificates that update-ca-trust maintains, even though I'm not sure that's necessary, as I think krb5 pkinit.so should handle that.
* I increased various sssd timeouts to work around this bug in sssd that was derailing the nss responder:
#4103 slow smartcard interactions break sssd when PKINIT is configured https://pagure.io/SSSD/sssd/issue/4103
I'm open to suggestions for anything that I missed.