I seting up fedora (24), using wiki. https://fedorahosted.org/sssd/wiki/DesignDocs/SmartcardAuthenticationTesting... Every thing going ok, and i can use login and password. But if i'll try to use smart card, nothing hapent in gdm logon screen.
pkcs11-tool --module my_pkcs11_module.so --slot 0 --list-objects -l ask my pin, and after show my certs and keys
/usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2 --nssdb=/etc/pki/nssdb return public key of my cert.
/etc/pam.d/smartcard-auth-ac auth sufficient pam_sss allow_missing_name
in log, cant see any intresting about inserting my token.
On Tue, Sep 20, 2016 at 03:37:27PM -0000, niger niger wrote:
I seting up fedora (24), using wiki. https://fedorahosted.org/sssd/wiki/DesignDocs/SmartcardAuthenticationTesting... Every thing going ok, and i can use login and password. But if i'll try to use smart card, nothing hapent in gdm logon screen.
So far I basically tested gdm on CentOS/RHEL which iirc have some different defaults then Fedora with respect to gdm and Smartcards.
To make sure Smartcard authentication works in general I would like to ask you to check if the login on the text console will ask you for the Smartcard PIN or if 'su - aduser@ad.domain' will ask for the PIN (please do not run the su command as root because this will skip all authentication).
If there is no PIN prompt please add debug_level=10 to the [pam] section in sssd.conf, restart SSSD, re-run the su or text console test and send me the sssd_pam.log and p11_child.log files. Please see https://fedorahosted.org/sssd/wiki/Troubleshooting for details.
HTH
bye, Sumit
pkcs11-tool --module my_pkcs11_module.so --slot 0 --list-objects -l ask my pin, and after show my certs and keys
/usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2 --nssdb=/etc/pki/nssdb return public key of my cert.
/etc/pam.d/smartcard-auth-ac auth sufficient pam_sss allow_missing_name
in log, cant see any intresting about inserting my token. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Thank's for your reply. If it could help, i cat setup CentOS in same configuration.
It turns out that authentication already worked. I just didn't assume that pam_sss doesn't enter user name as it does pam_pkcs11. It works so: 1. insert usb token 2. select user name on the gdm screen (how to disconnect user list in gdm fedora 24, a method using dconf doesn't work?) 3. see a pin request instead of the password 4. enter PIN 5. login.
But the user doesn't receive kerberos ticket, but id command work correct. $ klist klist: Credentials cache keyring 'persistent:1529438613:1529438613' not found
If the same user enters using password, then receives kerberos ticket. For me it is a big problem.
On Wed, Sep 21, 2016 at 12:58:52PM -0000, niger niger wrote:
Thank's for your reply. If it could help, i cat setup CentOS in same configuration.
It turns out that authentication already worked. I just didn't assume that pam_sss doesn't enter user name as it does pam_pkcs11. It works so:
- insert usb token
- select user name on the gdm screen (how to disconnect user list in gdm fedora 24, a method using dconf doesn't work?)
Please note that gdm uses the dconf profile 'gdm' with is configured as:
# cat /usr/share/dconf/profile/gdm user-db:user file-db:/usr/share/gdm/greeter-dconf-defaults
If I understand it correctly you have to modify the dconf configuration as user gdm with DCONF_PROFILE=gdm set.
- see a pin request instead of the password
- enter PIN
- login.
But the user doesn't receive kerberos ticket, but id command work correct. $ klist klist: Credentials cache keyring 'persistent:1529438613:1529438613' not found
I'm sorry, but pkinit is currently work-in-progress. I might be able to prepare a test package for Fedora 24 at the end of next week. If you don't mind please ping me next week to get an update.
bye, Sumit
If the same user enters using password, then receives kerberos ticket. For me it is a big problem. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
On Wed, Sep 21, 2016 at 12:58:52PM -0000, niger niger wrote:
Please note that gdm uses the dconf profile 'gdm' with is configured as:
# cat /usr/share/dconf/profile/gdm user-db:user file-db:/usr/share/gdm/greeter-dconf-defaults
From my host # cat /usr/share/dconf/profile/gdm user-db:user file-db:/usr/share/gdm/greeter-dconf-defaults
If I understand it correctly you have to modify the dconf configuration as user gdm with DCONF_PROFILE=gdm set.
$ sudo -u gdm DCONF_PROFILE=gdm dconf read /org/gnome/login-screen/disable-user-list true
May be wrong command or a problem in useing ibus?
I'm sorry, but pkinit is currently work-in-progress. I might be able to prepare a test package for Fedora 24 at the end of next week. If you don't mind please ping me next week to get an update.
It will be great and I am ready to participate in testing. I will remind you 9/27/2016
bye, Sumit
If the same user enters using password, then receives kerberos ticket. For me it is a big problem. _______________________________________________ sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
! after install last update (thought gnome-app-install, 22-23/09/2016) disable-user-list starting to work. I'm nothing change on system configuration.
$ sudo -u gdm DCONF_PROFILE=gdm dconf read /org/gnome/login-screen/disable-user-list true
Hello Sumit.
I'm just ping you, about pkinit test package for Fedora 24.
On Tue, Sep 27, 2016 at 10:43:26AM -0000, niger niger wrote:
Hello Sumit.
I'm just ping you, about pkinit test package for Fedora 24.
Thank you for the reminder, please find a test build at http://koji.fedoraproject.org/koji/taskinfo?taskID=15847512 .
If you already have a working pkinit configuration not additional configuration is needed. Otherwise you have to add at least pkinit_anchors to your /etc/krb5.conf pointing to the CA certificates. Depending on the certificate of the KDC you might need to add pkinit_kdc_hostname and pkinit_eku_checking as well. Please see man krb5.conf for details.
bye, Sumit
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
I have started testing, however I was loaded another tasks at work now. Testing will be slowed down. Many thanks to you, for help.
Hello Sumit. Now im back to task! I see sssd already have new release, to continue test i need install version that you send me before, or new release already have function to reproduce my tests?
On Fri, Oct 21, 2016 at 12:04:15PM -0000, niger niger wrote:
Hello Sumit. Now im back to task! I see sssd already have new release, to continue test i need install version that you send me before, or new release already have function to reproduce my tests?
Please try the packages I send you. The patches are not available in the new release.
bye, Sumit
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
ok, but i can't find how download any files from link you send me. http://koji.fedoraproject.org/koji/taskinfo?taskID=15847512 .
On Fri, Oct 21, 2016 at 02:25:05PM -0000, niger niger wrote:
ok, but i can't find how download any files from link you send me. http://koji.fedoraproject.org/koji/taskinfo?taskID=15847512 .
scratch build are removed after some time, please try http://koji.fedoraproject.org/koji/taskinfo?taskID=16152068
bye, Sumit
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Now files downloadable, thanks. One more question. What you meant under "If you already have a working pkinit configuration not additional configuration is needed"? I can run kinit, enter the password and to receive kerberos ticket, but can't get ticket using token. Is that enough, or i need to set up reciving kerberos ticket using token first?
PS. Maybe intresting link to add to this wiki (about cert maping, in AD) https://fedorahosted.org/sssd/wiki/DesignDocs/SmartcardAuthenticationTesting... https://blogs.technet.microsoft.com/askds/2009/08/10/mapping-one-smartcard-c...
On Fri, Oct 21, 2016 at 03:34:04PM -0000, niger niger wrote:
Now files downloadable, thanks. One more question. What you meant under "If you already have a working pkinit configuration not additional configuration is needed"? I can run kinit, enter the password and to receive kerberos ticket, but can't get ticket using token. Is that enough, or i need to set up reciving kerberos ticket using token first?
In this case you have to add some options to /etc/krb5.conf. As I wrote earlier:
... you have to add at least pkinit_anchors to your /etc/krb5.conf pointing to the CA certificates. Depending on the certificate of the KDC you might need to add pkinit_kdc_hostname and pkinit_eku_checking as well. Please see man krb5.conf for details.
PS. Maybe intresting link to add to this wiki (about cert maping, in AD) https://fedorahosted.org/sssd/wiki/DesignDocs/SmartcardAuthenticationTesting... https://blogs.technet.microsoft.com/askds/2009/08/10/mapping-one-smartcard-c...
Using one certificate for multiple accounts/identities will be another feature for the next major release. I think I will create a new page for this and will add the link to the MSFT blog there.
Thanks
bye, Sumit
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
sssd-users@lists.fedorahosted.org