On Tue, Jun 06, 2017 at 03:22:28PM -0000, tallinn1960@yahoo.de wrote:
Eventually I've got a working setup with PKINIT, Smartcard and sssd 1.15.2 in a Ubuntu/Unity-Environment. However, login fails, if both krb5 kdc and ldap id provider are offline. Is offline mode for smartcard authentication vs kerberos supposed to work at all in sssd or are there more requirements to be met than those already mentioned here?
Especially, are there any requirements on the subject dn in the certificate? I am looking at an error message in the logs that is only there in offline mode:
sssd_pam.log:(Tue Jun 6 15:52:57 2017) [sssd[pam]] [pam_dom_forwarder] (0x0400): User and certificate user do not match, continue with other authentication methods.
As for Kerberos the subject of the certificate has no meaning, the kerberos principal name is encoded as an subject alternative name id-pki-san extension. So we did not choose anything special for the subject name of the certificates.
If offline SSSD would just check the certificate and the PIN on its own. To map the certificate to the user the full certificate is used because it should have been saved to the cache by a previous online authentication.
The log message indicates that the certificate is not properly stored in the cache, at least searching the cache for the user and the certificate return different objects.
Can you send the full sssd_pam.log file to see if there are more hints why one of the searches in the offline case does not find the right object?
bye, Sumit
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org