I hope somebody can answer this for me and clarify questions I have about this process. If this is not the right place to ask the question please tell me where I might be able to get answers to my questions.
I want a Linux machine to become a user of the active directory Does SSD configure you to be part of the Windows domain or is it only using a small part such as list, positions of things, resource sharing, etc. Or is it a full-fledged Windows user? I want to know about the process of enrolling the CAC with the PKI/widows domain/active directory. When you log in with the smartcard/CAC, when and how does enrollment occur? I think enrollment could be one of two things: You could use the certificates/identifier number from the CAC to enroll and be in active directory/PKI. What is the enrollment PKI? I want to understand the associations between the CAC, Windows, and what information is stored. I don't think it's the cerificate but just the number. Once you've logged into the machine does in use certificates from the CAC and how does the information get there. How do you associate the CAC with the windows user from active directory? How do you connect using your key? Once you're on a machine and you need to log in to a Linux machine that's a member and you want to prove who you are from a machine that has become part of active directory how do you know? Does Linux associate the CAC the same way that Windows does? For SSH? kinit involvement? Does the SSS module or pam module handle session tickets or does it only give you your only initial ticket granting ticket?
On Sat, Mar 05, 2016 at 10:25:47AM -0600, Kenneth Schwartz wrote:
I hope somebody can answer this for me and clarify questions I have about this process. If this is not the right place to ask the question please tell me where I might be able to get answers to my questions.
I want a Linux machine to become a user of the active directory Does SSD configure you to be part of the Windows domain or is it only using a small part such as list, positions of things, resource sharing, etc. Or is it a full-fledged Windows user? I want to know about the process of enrolling the CAC with the PKI/widows domain/active directory. When you log in with the smartcard/CAC, when and how does enrollment occur? I think enrollment could be one of two things: You could use the certificates/identifier number from the CAC to enroll and be in active directory/PKI. What is the enrollment PKI? I want to understand the associations between the CAC, Windows, and what information is stored. I don't think it's the cerificate but just the number. Once you've logged into the machine does in use certificates from the CAC and how does the information get there. How do you associate the CAC with the windows user from active directory? How do you connect using your key? Once you're on a machine and you need to log in to a Linux machine that's a member and you want to prove who you are from a machine that has become part of active directory how do you know? Does Linux associate the CAC the same way that Windows does? For SSH? kinit involvement?
Depending on the configuration, the machine might be a member of the domain with the corresponding computer account object (this is normally the case with id_provider=ad) or just use the LDAP and Kerberos services from AD (this is typically with id_provider=ldap).
Maybe https://fedorahosted.org/sssd/wiki/Configuring_sssd_with_ad_server would help?
Does the SSS module or pam module handle session tickets or does it only give you your only initial ticket granting ticket?
Only the TGT, the rest is handled by libkrb5..
On Sat, Mar 05, 2016 at 10:25:47AM -0600, Kenneth Schwartz wrote:
I hope somebody can answer this for me and clarify questions I have about this process. If this is not the right place to ask the question please tell me where I might be able to get answers to my questions.
I want a Linux machine to become a user of the active directory Does SSD configure you to be part of the Windows domain or is it only using a small part such as list, positions of things, resource sharing, etc. Or is it a full-fledged Windows user? I want to know about the process of enrolling the CAC with the PKI/widows domain/active directory. When you log in with the smartcard/CAC, when and how does enrollment occur? I think enrollment could be one of two things: You could use the certificates/identifier number from the CAC to enroll and be in active directory/PKI. What is the enrollment PKI? I want to understand the associations between the CAC, Windows, and what information is stored. I don't think it's the cerificate but just the number. Once you've logged into the machine does in use certificates from the CAC and how does the information get there. How do you associate the CAC with the windows user from active directory? How do you connect using your key? Once you're on a machine and you need to log in to a Linux machine that's a member and you want to prove who you are from a machine that has become part of active directory how do you know? Does Linux associate the CAC the same way that Windows does? For SSH? kinit involvement? Does the SSS module or pam module handle session tickets or does it only give you your only initial ticket granting ticket?
Please have a look at https://fedorahosted.org/sssd/wiki/DesignDocs/SmartcardAuthenticationTesting... Here I showed what is needed to to use SSSD based Smartcard authentication with Active Directory. Since you are interested in CAC card, i.e. you already have the certificates signed by an external CA, the https://fedorahosted.org/sssd/wiki/DesignDocs/SmartcardAuthenticationTesting... section might be most interesting for you.
As you can see from the page the current version of SSS tries to find the whole certificate in the AD user entry. To associate a certificate with a AD user you have to add the certificate to the user entry e.g. with ldapmodify as shown on the page.
In future versions of SSSD we plan to add mapping rules which will make it possible to connect the AD user and the certificate in different ways. Nevertheless for the CAC case it might be always needed to add some data to the AD user entry because afaik the CAC certificates are generated externally and by default have on data which might help to identify the user hence the needed data has to be added to AD.
HTH
bye, Sumit
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
sssd-users@lists.fedorahosted.org