Eventually I've got a working setup with PKINIT, Smartcard and sssd 1.15.2 in a Ubuntu/Unity-Environment. However, login fails, if both krb5 kdc and ldap id provider are offline. Is offline mode for smartcard authentication vs kerberos supposed to work at all in sssd or are there more requirements to be met than those already mentioned here?
Especially, are there any requirements on the subject dn in the certificate? I am looking at an error message in the logs that is only there in offline mode:
sssd_pam.log:(Tue Jun 6 15:52:57 2017) [sssd[pam]] [pam_dom_forwarder] (0x0400): User and certificate user do not match, continue with other authentication methods.
As for Kerberos the subject of the certificate has no meaning, the kerberos principal name is encoded as an subject alternative name id-pki-san extension. So we did not choose anything special for the subject name of the certificates.