I'm having a hard time understanding how cert mapping is supposed to work offline. Currently I have the following certmap config (this is on RHEL8-beta):
[certmap/ad.example.com/smartcard] maprule = (|(userPrincipal={subject_principal})(samAccountName={subject_principal.short_name}))
to map the CN on the card to 'samAccountName' in AD. This works as long as I'm online (access to AD), but when I go offline (disconnect network) the maprule is not working. I thought that the mapping would then use the sssd cache but apparantly not - so how is smartcard login supposed to work offline?
Regards Adam
On Wed, Feb 13, 2019 at 08:17:39AM +0100, Winberg, Adam wrote:
I'm having a hard time understanding how cert mapping is supposed to work offline. Currently I have the following certmap config (this is on RHEL8-beta):
[certmap/ad.example.com/smartcard] maprule = (|(userPrincipal={subject_principal})(samAccountName={subject_principal.short_name}))
to map the CN on the card to 'samAccountName' in AD. This works as long as I'm online (access to AD), but when I go offline (disconnect network) the maprule is not working. I thought that the mapping would then use the sssd cache but apparantly not - so how is smartcard login supposed to work offline?
The cached data should be used in the offline case. Do your certificates contain the OCSP extension? If this is present SSSD will use it by default to validate the certificate which will fail if the system is offline. To disable OCSP you can set
certificate_verification = no_ocsp
in the [sssd] section of sssd.conf, see man sssd.conf for details.
If that's not the case feel free to send my the SSSD logs ideally with debug_level=9. The most important ones for the offline case would be sssd_pam.log and p11_child.log.
bye, Sumit
Regards Adam
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
You are correct, the OCSP was an issue. Disabling that I get a step closer (where I actually get a pin prompt), but login does not work.
sssd_pam.log shows: (Wed Feb 13 09:35:24 2019) [sssd[pam]] [pam_reply] (0x0040): Backend cannot handle Smartcard authentication, trying local Smartcard authentication.
Which looks good, but p11_child.log shows: (Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [read_certs] (0x4000): found cert[a001329][/DC=com/DC=example/DC=ad/OU=People/CN=a001329] (Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [read_certs] (0x4000): found cert[adwi.adm][/DC=com/DC=example/DC=ad/OU=People/OU=People2/CN=adwi.adm] (Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [do_card] (0x4000): /usr/lib64/pkcs11/opensc-pkcs11.so /usr/lib64/pkcs11/opensc-pkcs11.so identification (Instant EID IP9) identification (Instant EID IP9) 709C1B7B80A241AE 709C1B7B80A241AE. (Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [do_card] (0x4000): /usr/lib64/pkcs11/opensc-pkcs11.so /usr/lib64/pkcs11/opensc-pkcs11.so identification (Instant EID IP9) identification (Instant EID IP9) 709C1B7B80A241AE 709C1B7B80A241AE. (Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [do_card] (0x4000): uri: pkcs11:library-description=OpenSC%20smartcard%20framework;library-manufacturer=OpenSC%20Project;library-version=0.19;slot-description=Alcor%20Micro%20AU9560%2000%2000;slot-manufacturer=Generic;slot-id=0;model=PKCS%2315;manufacturer=Gemalto;serial=2634357095419540;token=identification%20%28Instant%20EID%20IP9%29;id=%70%9c%1b%7b%80%a2%41%ae;object=a001329;type=cert. (Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [do_card] (0x4000): uri: pkcs11:library-description=OpenSC%20smartcard%20framework;library-manufacturer=OpenSC%20Project;library-version=0.19;slot-description=Alcor%20Micro%20AU9560%2000%2000;slot-manufacturer=Generic;slot-id=0;model=PKCS%2315;manufacturer=Gemalto;serial=2634357095419540;token=identification%20%28Instant%20EID%20IP9%29;id=%70%9c%1b%7b%80%a2%41%ae;object=adwi.adm;type=cert. (Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [do_card] (0x0010): More than one certificate found for authentication, aborting!
And then sssd_pam.log shows: (Wed Feb 13 09:35:25 2019) [sssd[pam]] [parse_p11_child_response] (0x1000): No certificate found. (Wed Feb 13 09:35:25 2019) [sssd[pam]] [pam_forwarder_cert_cb] (0x0020): No certificate returned, authentication failed.
I have two certs on my card, but I have a 'matchrule' in sssd.conf so SSSD only picks the correct one: matchrule = <SUBJECT>^CN=[ak].{6},OU=People,DC=ad,DC=example,DC=com$
This does not seem to work offline? Even so, should I not then get to choose which certificate to use in GDM?
This bugzilla (created by me for RHEL7.6) might be relevant, since borth my certs have the same ID. https://bugzilla.redhat.com/show_bug.cgi?id=1631410
Thank you!
//Adam
Den ons 13 feb. 2019 kl 09:05 skrev Sumit Bose sbose@redhat.com:
On Wed, Feb 13, 2019 at 08:17:39AM +0100, Winberg, Adam wrote:
I'm having a hard time understanding how cert mapping is supposed to work offline. Currently I have the following certmap config (this is on RHEL8-beta):
[certmap/ad.example.com/smartcard] maprule =
(|(userPrincipal={subject_principal})(samAccountName={subject_principal.short_name}))
to map the CN on the card to 'samAccountName' in AD. This works as long
as
I'm online (access to AD), but when I go offline (disconnect network) the maprule is not working. I thought that the mapping would then use the
sssd
cache but apparantly not - so how is smartcard login supposed to work offline?
The cached data should be used in the offline case. Do your certificates contain the OCSP extension? If this is present SSSD will use it by default to validate the certificate which will fail if the system is offline. To disable OCSP you can set
certificate_verification = no_ocsp
in the [sssd] section of sssd.conf, see man sssd.conf for details.
If that's not the case feel free to send my the SSSD logs ideally with debug_level=9. The most important ones for the offline case would be sssd_pam.log and p11_child.log.
bye, Sumit
Regards Adam
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
On Wed, Feb 13, 2019 at 09:54:45AM +0100, Winberg, Adam wrote:
You are correct, the OCSP was an issue. Disabling that I get a step closer (where I actually get a pin prompt), but login does not work.
sssd_pam.log shows: (Wed Feb 13 09:35:24 2019) [sssd[pam]] [pam_reply] (0x0040): Backend cannot handle Smartcard authentication, trying local Smartcard authentication.
Which looks good, but p11_child.log shows: (Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [read_certs] (0x4000): found cert[a001329][/DC=com/DC=example/DC=ad/OU=People/CN=a001329] (Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [read_certs] (0x4000): found cert[adwi.adm][/DC=com/DC=example/DC=ad/OU=People/OU=People2/CN=adwi.adm] (Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [do_card] (0x4000): /usr/lib64/pkcs11/opensc-pkcs11.so /usr/lib64/pkcs11/opensc-pkcs11.so identification (Instant EID IP9) identification (Instant EID IP9) 709C1B7B80A241AE 709C1B7B80A241AE. (Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [do_card] (0x4000): /usr/lib64/pkcs11/opensc-pkcs11.so /usr/lib64/pkcs11/opensc-pkcs11.so identification (Instant EID IP9) identification (Instant EID IP9) 709C1B7B80A241AE 709C1B7B80A241AE. (Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [do_card] (0x4000): uri: pkcs11:library-description=OpenSC%20smartcard%20framework;library-manufacturer=OpenSC%20Project;library-version=0.19;slot-description=Alcor%20Micro%20AU9560%2000%2000;slot-manufacturer=Generic;slot-id=0;model=PKCS%2315;manufacturer=Gemalto;serial=2634357095419540;token=identification%20%28Instant%20EID%20IP9%29;id=%70%9c%1b%7b%80%a2%41%ae;object=a001329;type=cert. (Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [do_card] (0x4000): uri: pkcs11:library-description=OpenSC%20smartcard%20framework;library-manufacturer=OpenSC%20Project;library-version=0.19;slot-description=Alcor%20Micro%20AU9560%2000%2000;slot-manufacturer=Generic;slot-id=0;model=PKCS%2315;manufacturer=Gemalto;serial=2634357095419540;token=identification%20%28Instant%20EID%20IP9%29;id=%70%9c%1b%7b%80%a2%41%ae;object=adwi.adm;type=cert. (Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [do_card] (0x0010): More than one certificate found for authentication, aborting!
And then sssd_pam.log shows: (Wed Feb 13 09:35:25 2019) [sssd[pam]] [parse_p11_child_response] (0x1000): No certificate found. (Wed Feb 13 09:35:25 2019) [sssd[pam]] [pam_forwarder_cert_cb] (0x0020): No certificate returned, authentication failed.
I have two certs on my card, but I have a 'matchrule' in sssd.conf so SSSD only picks the correct one: matchrule = <SUBJECT>^CN=[ak].{6},OU=People,DC=ad,DC=example,DC=com$
This does not seem to work offline? Even so, should I not then get to choose which certificate to use in GDM?
This bugzilla (created by me for RHEL7.6) might be relevant, since borth my certs have the same ID. https://bugzilla.redhat.com/show_bug.cgi?id=1631410
Yes, you are right this is related. The certificate objects on the Smartcard only differ in the label ('a001329', 'adwi.adm') but currently SSSD only use the ID for the selection. So I have to add the label for the selection as well.
But this would be the same for online authentication. So I wonder if one of the certificates is invalid according to OCSP or if you disabled verification completely for the test?
bye, Sumit
Thank you!
//Adam
Den ons 13 feb. 2019 kl 09:05 skrev Sumit Bose sbose@redhat.com:
On Wed, Feb 13, 2019 at 08:17:39AM +0100, Winberg, Adam wrote:
I'm having a hard time understanding how cert mapping is supposed to work offline. Currently I have the following certmap config (this is on RHEL8-beta):
[certmap/ad.example.com/smartcard] maprule =
(|(userPrincipal={subject_principal})(samAccountName={subject_principal.short_name}))
to map the CN on the card to 'samAccountName' in AD. This works as long
as
I'm online (access to AD), but when I go offline (disconnect network) the maprule is not working. I thought that the mapping would then use the
sssd
cache but apparantly not - so how is smartcard login supposed to work offline?
The cached data should be used in the offline case. Do your certificates contain the OCSP extension? If this is present SSSD will use it by default to validate the certificate which will fail if the system is offline. To disable OCSP you can set
certificate_verification = no_ocsp
in the [sssd] section of sssd.conf, see man sssd.conf for details.
If that's not the case feel free to send my the SSSD logs ideally with debug_level=9. The most important ones for the offline case would be sssd_pam.log and p11_child.log.
bye, Sumit
Regards Adam
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
I did not have the 'certificate_verification' parameter set at all before, and then online authentication works for me.
This is debug logs from p11_child, online auth with ocsp:
(Wed Feb 13 09:04:24 2019) [[sssd[p11_child[12421]]]] [read_certs] (0x4000): found cert[a001329][/DC=com/DC=example/DC=ad/OU=People/CN=a001329] (Wed Feb 13 09:04:24 2019) [[sssd[p11_child[12421]]]] [do_ocsp] (0x4000): Using OCSP URL [http://ocsp1.example.com/ocsp]. (Wed Feb 13 09:04:24 2019) [[sssd[p11_child[12421]]]] [do_ocsp] (0x4000): Nonce in OCSP response is the same as the one used in the request. (Wed Feb 13 09:04:24 2019) [[sssd[p11_child[12421]]]] [do_ocsp] (0x4000): OCSP check was successful. (Wed Feb 13 09:04:24 2019) [[sssd[p11_child[12421]]]] [read_certs] (0x4000): found cert[adwi.adm][/DC=com/DC=example/DC=ad/OU=People/OU=People2/CN=adwi.adm] (Wed Feb 13 09:04:24 2019) [[sssd[p11_child[12421]]]] [do_ocsp] (0x4000): Using OCSP URL [http://ocsp1.example.com/ocsp]. (Wed Feb 13 09:04:24 2019) [[sssd[p11_child[12421]]]] [do_ocsp] (0x4000): Nonce in OCSP response is the same as the one used in the request. (Wed Feb 13 09:04:24 2019) [[sssd[p11_child[12421]]]] [do_ocsp] (0x4000): OCSP check was successful.
So it seems both certs validates, but login still works and the correct certificate is chosen.
//Adam
Den ons 13 feb. 2019 kl 12:19 skrev Sumit Bose sbose@redhat.com:
On Wed, Feb 13, 2019 at 09:54:45AM +0100, Winberg, Adam wrote:
You are correct, the OCSP was an issue. Disabling that I get a step
closer
(where I actually get a pin prompt), but login does not work.
sssd_pam.log shows: (Wed Feb 13 09:35:24 2019) [sssd[pam]] [pam_reply] (0x0040): Backend
cannot
handle Smartcard authentication, trying local Smartcard authentication.
Which looks good, but p11_child.log shows: (Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [read_certs] (0x4000): found
cert[a001329][/DC=com/DC=example/DC=ad/OU=People/CN=a001329]
(Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [read_certs] (0x4000): found cert[adwi.adm][/DC=com/DC=example/DC=ad/OU=People/OU=People2/CN=adwi.adm] (Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [do_card] (0x4000): /usr/lib64/pkcs11/opensc-pkcs11.so /usr/lib64/pkcs11/opensc-pkcs11.so identification (Instant EID IP9) identification (Instant EID IP9) 709C1B7B80A241AE 709C1B7B80A241AE. (Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [do_card] (0x4000): /usr/lib64/pkcs11/opensc-pkcs11.so /usr/lib64/pkcs11/opensc-pkcs11.so identification (Instant EID IP9) identification (Instant EID IP9) 709C1B7B80A241AE 709C1B7B80A241AE. (Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [do_card] (0x4000): uri:
pkcs11:library-description=OpenSC%20smartcard%20framework;library-manufacturer=OpenSC%20Project;library-version=0.19;slot-description=Alcor%20Micro%20AU9560%2000%2000;slot-manufacturer=Generic;slot-id=0;model=PKCS%2315;manufacturer=Gemalto;serial=2634357095419540;token=identification%20%28Instant%20EID%20IP9%29;id=%70%9c%1b%7b%80%a2%41%ae;object=a001329;type=cert.
(Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [do_card] (0x4000): uri:
pkcs11:library-description=OpenSC%20smartcard%20framework;library-manufacturer=OpenSC%20Project;library-version=0.19;slot-description=Alcor%20Micro%20AU9560%2000%2000;slot-manufacturer=Generic;slot-id=0;model=PKCS%2315;manufacturer=Gemalto;serial=2634357095419540;token=identification%20%28Instant%20EID%20IP9%29;id=%70%9c%1b%7b%80%a2%41%ae;object=adwi.adm;type=cert.
(Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [do_card] (0x0010): More than one certificate found for authentication, aborting!
And then sssd_pam.log shows: (Wed Feb 13 09:35:25 2019) [sssd[pam]] [parse_p11_child_response]
(0x1000):
No certificate found. (Wed Feb 13 09:35:25 2019) [sssd[pam]] [pam_forwarder_cert_cb] (0x0020):
No
certificate returned, authentication failed.
I have two certs on my card, but I have a 'matchrule' in sssd.conf so
SSSD
only picks the correct one: matchrule = <SUBJECT>^CN=[ak].{6},OU=People,DC=ad,DC=example,DC=com$
This does not seem to work offline? Even so, should I not then get to choose which certificate to use in GDM?
This bugzilla (created by me for RHEL7.6) might be relevant, since borth
my
certs have the same ID. https://bugzilla.redhat.com/show_bug.cgi?id=1631410
Yes, you are right this is related. The certificate objects on the Smartcard only differ in the label ('a001329', 'adwi.adm') but currently SSSD only use the ID for the selection. So I have to add the label for the selection as well.
But this would be the same for online authentication. So I wonder if one of the certificates is invalid according to OCSP or if you disabled verification completely for the test?
bye, Sumit
Thank you!
//Adam
Den ons 13 feb. 2019 kl 09:05 skrev Sumit Bose sbose@redhat.com:
On Wed, Feb 13, 2019 at 08:17:39AM +0100, Winberg, Adam wrote:
I'm having a hard time understanding how cert mapping is supposed to
work
offline. Currently I have the following certmap config (this is on RHEL8-beta):
[certmap/ad.example.com/smartcard] maprule =
(|(userPrincipal={subject_principal})(samAccountName={subject_principal.short_name}))
to map the CN on the card to 'samAccountName' in AD. This works as
long
as
I'm online (access to AD), but when I go offline (disconnect
network) the
maprule is not working. I thought that the mapping would then use the
sssd
cache but apparantly not - so how is smartcard login supposed to work offline?
The cached data should be used in the offline case. Do your
certificates
contain the OCSP extension? If this is present SSSD will use it by default to validate the certificate which will fail if the system is offline. To disable OCSP you can set
certificate_verification = no_ocsp
in the [sssd] section of sssd.conf, see man sssd.conf for details.
If that's not the case feel free to send my the SSSD logs ideally with debug_level=9. The most important ones for the offline case would be sssd_pam.log and p11_child.log.
bye, Sumit
Regards Adam
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to
sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to
sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
On Wed, Feb 13, 2019 at 12:51:14PM +0100, Winberg, Adam wrote:
I did not have the 'certificate_verification' parameter set at all before, and then online authentication works for me.
This is debug logs from p11_child, online auth with ocsp:
(Wed Feb 13 09:04:24 2019) [[sssd[p11_child[12421]]]] [read_certs] (0x4000): found cert[a001329][/DC=com/DC=example/DC=ad/OU=People/CN=a001329] (Wed Feb 13 09:04:24 2019) [[sssd[p11_child[12421]]]] [do_ocsp] (0x4000): Using OCSP URL [http://ocsp1.example.com/ocsp]. (Wed Feb 13 09:04:24 2019) [[sssd[p11_child[12421]]]] [do_ocsp] (0x4000): Nonce in OCSP response is the same as the one used in the request. (Wed Feb 13 09:04:24 2019) [[sssd[p11_child[12421]]]] [do_ocsp] (0x4000): OCSP check was successful. (Wed Feb 13 09:04:24 2019) [[sssd[p11_child[12421]]]] [read_certs] (0x4000): found cert[adwi.adm][/DC=com/DC=example/DC=ad/OU=People/OU=People2/CN=adwi.adm] (Wed Feb 13 09:04:24 2019) [[sssd[p11_child[12421]]]] [do_ocsp] (0x4000): Using OCSP URL [http://ocsp1.example.com/ocsp]. (Wed Feb 13 09:04:24 2019) [[sssd[p11_child[12421]]]] [do_ocsp] (0x4000): Nonce in OCSP response is the same as the one used in the request. (Wed Feb 13 09:04:24 2019) [[sssd[p11_child[12421]]]] [do_ocsp] (0x4000): OCSP check was successful.
So it seems both certs validates, but login still works and the correct certificate is chosen.
ah, sorry, I guess when online you are doing Kerberos PKINIT so p11_child is never run in authentication mode were the 'More than one certificate found for authentication, aborting!' error came from. In this case I assume you have a 'pkinit_cert_match' rule in krb5.conf to help libkrb5 to pick the right certificate since SSSD would only add the ID to X509_user_identity which is not sufficient to select a specific certificate.
bye, Sumit
//Adam
Den ons 13 feb. 2019 kl 12:19 skrev Sumit Bose sbose@redhat.com:
On Wed, Feb 13, 2019 at 09:54:45AM +0100, Winberg, Adam wrote:
You are correct, the OCSP was an issue. Disabling that I get a step
closer
(where I actually get a pin prompt), but login does not work.
sssd_pam.log shows: (Wed Feb 13 09:35:24 2019) [sssd[pam]] [pam_reply] (0x0040): Backend
cannot
handle Smartcard authentication, trying local Smartcard authentication.
Which looks good, but p11_child.log shows: (Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [read_certs] (0x4000): found
cert[a001329][/DC=com/DC=example/DC=ad/OU=People/CN=a001329]
(Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [read_certs] (0x4000): found cert[adwi.adm][/DC=com/DC=example/DC=ad/OU=People/OU=People2/CN=adwi.adm] (Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [do_card] (0x4000): /usr/lib64/pkcs11/opensc-pkcs11.so /usr/lib64/pkcs11/opensc-pkcs11.so identification (Instant EID IP9) identification (Instant EID IP9) 709C1B7B80A241AE 709C1B7B80A241AE. (Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [do_card] (0x4000): /usr/lib64/pkcs11/opensc-pkcs11.so /usr/lib64/pkcs11/opensc-pkcs11.so identification (Instant EID IP9) identification (Instant EID IP9) 709C1B7B80A241AE 709C1B7B80A241AE. (Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [do_card] (0x4000): uri:
pkcs11:library-description=OpenSC%20smartcard%20framework;library-manufacturer=OpenSC%20Project;library-version=0.19;slot-description=Alcor%20Micro%20AU9560%2000%2000;slot-manufacturer=Generic;slot-id=0;model=PKCS%2315;manufacturer=Gemalto;serial=2634357095419540;token=identification%20%28Instant%20EID%20IP9%29;id=%70%9c%1b%7b%80%a2%41%ae;object=a001329;type=cert.
(Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [do_card] (0x4000): uri:
pkcs11:library-description=OpenSC%20smartcard%20framework;library-manufacturer=OpenSC%20Project;library-version=0.19;slot-description=Alcor%20Micro%20AU9560%2000%2000;slot-manufacturer=Generic;slot-id=0;model=PKCS%2315;manufacturer=Gemalto;serial=2634357095419540;token=identification%20%28Instant%20EID%20IP9%29;id=%70%9c%1b%7b%80%a2%41%ae;object=adwi.adm;type=cert.
(Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [do_card] (0x0010): More than one certificate found for authentication, aborting!
And then sssd_pam.log shows: (Wed Feb 13 09:35:25 2019) [sssd[pam]] [parse_p11_child_response]
(0x1000):
No certificate found. (Wed Feb 13 09:35:25 2019) [sssd[pam]] [pam_forwarder_cert_cb] (0x0020):
No
certificate returned, authentication failed.
I have two certs on my card, but I have a 'matchrule' in sssd.conf so
SSSD
only picks the correct one: matchrule = <SUBJECT>^CN=[ak].{6},OU=People,DC=ad,DC=example,DC=com$
This does not seem to work offline? Even so, should I not then get to choose which certificate to use in GDM?
This bugzilla (created by me for RHEL7.6) might be relevant, since borth
my
certs have the same ID. https://bugzilla.redhat.com/show_bug.cgi?id=1631410
Yes, you are right this is related. The certificate objects on the Smartcard only differ in the label ('a001329', 'adwi.adm') but currently SSSD only use the ID for the selection. So I have to add the label for the selection as well.
But this would be the same for online authentication. So I wonder if one of the certificates is invalid according to OCSP or if you disabled verification completely for the test?
bye, Sumit
Thank you!
//Adam
Den ons 13 feb. 2019 kl 09:05 skrev Sumit Bose sbose@redhat.com:
On Wed, Feb 13, 2019 at 08:17:39AM +0100, Winberg, Adam wrote:
I'm having a hard time understanding how cert mapping is supposed to
work
offline. Currently I have the following certmap config (this is on RHEL8-beta):
[certmap/ad.example.com/smartcard] maprule =
(|(userPrincipal={subject_principal})(samAccountName={subject_principal.short_name}))
to map the CN on the card to 'samAccountName' in AD. This works as
long
as
I'm online (access to AD), but when I go offline (disconnect
network) the
maprule is not working. I thought that the mapping would then use the
sssd
cache but apparantly not - so how is smartcard login supposed to work offline?
The cached data should be used in the offline case. Do your
certificates
contain the OCSP extension? If this is present SSSD will use it by default to validate the certificate which will fail if the system is offline. To disable OCSP you can set
certificate_verification = no_ocsp
in the [sssd] section of sssd.conf, see man sssd.conf for details.
If that's not the case feel free to send my the SSSD logs ideally with debug_level=9. The most important ones for the offline case would be sssd_pam.log and p11_child.log.
bye, Sumit
Regards Adam
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to
sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to
sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
ok, that makes sense - i do indeed have a pkinit_cert_match in krb5.conf.
Any chance for a fix for this for rhel8 GA? I will try to investigate if we can write our smartcard certs differently, so they have different ID's, but I don't know what support there is for that in our card provisioning solution.
//Adam
Den ons 13 feb. 2019 kl 13:23 skrev Sumit Bose sbose@redhat.com:
On Wed, Feb 13, 2019 at 12:51:14PM +0100, Winberg, Adam wrote:
I did not have the 'certificate_verification' parameter set at all
before,
and then online authentication works for me.
This is debug logs from p11_child, online auth with ocsp:
(Wed Feb 13 09:04:24 2019) [[sssd[p11_child[12421]]]] [read_certs] (0x4000): found
cert[a001329][/DC=com/DC=example/DC=ad/OU=People/CN=a001329]
(Wed Feb 13 09:04:24 2019) [[sssd[p11_child[12421]]]] [do_ocsp] (0x4000): Using OCSP URL [http://ocsp1.example.com/ocsp]. (Wed Feb 13 09:04:24 2019) [[sssd[p11_child[12421]]]] [do_ocsp] (0x4000): Nonce in OCSP response is the same as the one used in the request. (Wed Feb 13 09:04:24 2019) [[sssd[p11_child[12421]]]] [do_ocsp] (0x4000): OCSP check was successful. (Wed Feb 13 09:04:24 2019) [[sssd[p11_child[12421]]]] [read_certs] (0x4000): found cert[adwi.adm][/DC=com/DC=example/DC=ad/OU=People/OU=People2/CN=adwi.adm] (Wed Feb 13 09:04:24 2019) [[sssd[p11_child[12421]]]] [do_ocsp] (0x4000): Using OCSP URL [http://ocsp1.example.com/ocsp]. (Wed Feb 13 09:04:24 2019) [[sssd[p11_child[12421]]]] [do_ocsp] (0x4000): Nonce in OCSP response is the same as the one used in the request. (Wed Feb 13 09:04:24 2019) [[sssd[p11_child[12421]]]] [do_ocsp] (0x4000): OCSP check was successful.
So it seems both certs validates, but login still works and the correct certificate is chosen.
ah, sorry, I guess when online you are doing Kerberos PKINIT so p11_child is never run in authentication mode were the 'More than one certificate found for authentication, aborting!' error came from. In this case I assume you have a 'pkinit_cert_match' rule in krb5.conf to help libkrb5 to pick the right certificate since SSSD would only add the ID to X509_user_identity which is not sufficient to select a specific certificate.
bye, Sumit
//Adam
Den ons 13 feb. 2019 kl 12:19 skrev Sumit Bose sbose@redhat.com:
On Wed, Feb 13, 2019 at 09:54:45AM +0100, Winberg, Adam wrote:
You are correct, the OCSP was an issue. Disabling that I get a step
closer
(where I actually get a pin prompt), but login does not work.
sssd_pam.log shows: (Wed Feb 13 09:35:24 2019) [sssd[pam]] [pam_reply] (0x0040): Backend
cannot
handle Smartcard authentication, trying local Smartcard
authentication.
Which looks good, but p11_child.log shows: (Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [read_certs] (0x4000): found
cert[a001329][/DC=com/DC=example/DC=ad/OU=People/CN=a001329]
(Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [read_certs] (0x4000): found
cert[adwi.adm][/DC=com/DC=example/DC=ad/OU=People/OU=People2/CN=adwi.adm]
(Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [do_card]
(0x4000):
/usr/lib64/pkcs11/opensc-pkcs11.so /usr/lib64/pkcs11/opensc-pkcs11.so identification (Instant EID IP9) identification (Instant EID IP9) 709C1B7B80A241AE 709C1B7B80A241AE. (Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [do_card]
(0x4000):
/usr/lib64/pkcs11/opensc-pkcs11.so /usr/lib64/pkcs11/opensc-pkcs11.so identification (Instant EID IP9) identification (Instant EID IP9) 709C1B7B80A241AE 709C1B7B80A241AE. (Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [do_card]
(0x4000):
uri:
pkcs11:library-description=OpenSC%20smartcard%20framework;library-manufacturer=OpenSC%20Project;library-version=0.19;slot-description=Alcor%20Micro%20AU9560%2000%2000;slot-manufacturer=Generic;slot-id=0;model=PKCS%2315;manufacturer=Gemalto;serial=2634357095419540;token=identification%20%28Instant%20EID%20IP9%29;id=%70%9c%1b%7b%80%a2%41%ae;object=a001329;type=cert.
(Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [do_card]
(0x4000):
uri:
pkcs11:library-description=OpenSC%20smartcard%20framework;library-manufacturer=OpenSC%20Project;library-version=0.19;slot-description=Alcor%20Micro%20AU9560%2000%2000;slot-manufacturer=Generic;slot-id=0;model=PKCS%2315;manufacturer=Gemalto;serial=2634357095419540;token=identification%20%28Instant%20EID%20IP9%29;id=%70%9c%1b%7b%80%a2%41%ae;object=adwi.adm;type=cert.
(Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [do_card]
(0x0010):
More than one certificate found for authentication, aborting!
And then sssd_pam.log shows: (Wed Feb 13 09:35:25 2019) [sssd[pam]] [parse_p11_child_response]
(0x1000):
No certificate found. (Wed Feb 13 09:35:25 2019) [sssd[pam]] [pam_forwarder_cert_cb]
(0x0020):
No
certificate returned, authentication failed.
I have two certs on my card, but I have a 'matchrule' in sssd.conf so
SSSD
only picks the correct one: matchrule = <SUBJECT>^CN=[ak].{6},OU=People,DC=ad,DC=example,DC=com$
This does not seem to work offline? Even so, should I not then get to choose which certificate to use in GDM?
This bugzilla (created by me for RHEL7.6) might be relevant, since
borth
my
certs have the same ID. https://bugzilla.redhat.com/show_bug.cgi?id=1631410
Yes, you are right this is related. The certificate objects on the Smartcard only differ in the label ('a001329', 'adwi.adm') but
currently
SSSD only use the ID for the selection. So I have to add the label for the selection as well.
But this would be the same for online authentication. So I wonder if
one
of the certificates is invalid according to OCSP or if you disabled verification completely for the test?
bye, Sumit
Thank you!
//Adam
Den ons 13 feb. 2019 kl 09:05 skrev Sumit Bose sbose@redhat.com:
On Wed, Feb 13, 2019 at 08:17:39AM +0100, Winberg, Adam wrote:
I'm having a hard time understanding how cert mapping is
supposed to
work
offline. Currently I have the following certmap config (this is
on
RHEL8-beta):
[certmap/ad.example.com/smartcard] maprule =
(|(userPrincipal={subject_principal})(samAccountName={subject_principal.short_name}))
to map the CN on the card to 'samAccountName' in AD. This works
as
long
as
I'm online (access to AD), but when I go offline (disconnect
network) the
maprule is not working. I thought that the mapping would then
use the
sssd
cache but apparantly not - so how is smartcard login supposed to
work
offline?
The cached data should be used in the offline case. Do your
certificates
contain the OCSP extension? If this is present SSSD will use it by default to validate the certificate which will fail if the system
is
offline. To disable OCSP you can set
certificate_verification = no_ocsp
in the [sssd] section of sssd.conf, see man sssd.conf for details.
If that's not the case feel free to send my the SSSD logs ideally
with
debug_level=9. The most important ones for the offline case would
be
sssd_pam.log and p11_child.log.
bye, Sumit
Regards Adam
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to
sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to
sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to
sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to
sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
On Wed, Feb 13, 2019 at 01:32:43PM +0100, Winberg, Adam wrote:
ok, that makes sense - i do indeed have a pkinit_cert_match in krb5.conf.
Any chance for a fix for this for rhel8 GA? I will try to investigate if we
I cannot comment on this but I can attach a test build based on the latest RHEL8 packages to the bugzilla ticket when a fix is available.
HTH
bye, Sumit
can write our smartcard certs differently, so they have different ID's, but I don't know what support there is for that in our card provisioning solution.
//Adam
Den ons 13 feb. 2019 kl 13:23 skrev Sumit Bose sbose@redhat.com:
On Wed, Feb 13, 2019 at 12:51:14PM +0100, Winberg, Adam wrote:
I did not have the 'certificate_verification' parameter set at all
before,
and then online authentication works for me.
This is debug logs from p11_child, online auth with ocsp:
(Wed Feb 13 09:04:24 2019) [[sssd[p11_child[12421]]]] [read_certs] (0x4000): found
cert[a001329][/DC=com/DC=example/DC=ad/OU=People/CN=a001329]
(Wed Feb 13 09:04:24 2019) [[sssd[p11_child[12421]]]] [do_ocsp] (0x4000): Using OCSP URL [http://ocsp1.example.com/ocsp]. (Wed Feb 13 09:04:24 2019) [[sssd[p11_child[12421]]]] [do_ocsp] (0x4000): Nonce in OCSP response is the same as the one used in the request. (Wed Feb 13 09:04:24 2019) [[sssd[p11_child[12421]]]] [do_ocsp] (0x4000): OCSP check was successful. (Wed Feb 13 09:04:24 2019) [[sssd[p11_child[12421]]]] [read_certs] (0x4000): found cert[adwi.adm][/DC=com/DC=example/DC=ad/OU=People/OU=People2/CN=adwi.adm] (Wed Feb 13 09:04:24 2019) [[sssd[p11_child[12421]]]] [do_ocsp] (0x4000): Using OCSP URL [http://ocsp1.example.com/ocsp]. (Wed Feb 13 09:04:24 2019) [[sssd[p11_child[12421]]]] [do_ocsp] (0x4000): Nonce in OCSP response is the same as the one used in the request. (Wed Feb 13 09:04:24 2019) [[sssd[p11_child[12421]]]] [do_ocsp] (0x4000): OCSP check was successful.
So it seems both certs validates, but login still works and the correct certificate is chosen.
ah, sorry, I guess when online you are doing Kerberos PKINIT so p11_child is never run in authentication mode were the 'More than one certificate found for authentication, aborting!' error came from. In this case I assume you have a 'pkinit_cert_match' rule in krb5.conf to help libkrb5 to pick the right certificate since SSSD would only add the ID to X509_user_identity which is not sufficient to select a specific certificate.
bye, Sumit
//Adam
Den ons 13 feb. 2019 kl 12:19 skrev Sumit Bose sbose@redhat.com:
On Wed, Feb 13, 2019 at 09:54:45AM +0100, Winberg, Adam wrote:
You are correct, the OCSP was an issue. Disabling that I get a step
closer
(where I actually get a pin prompt), but login does not work.
sssd_pam.log shows: (Wed Feb 13 09:35:24 2019) [sssd[pam]] [pam_reply] (0x0040): Backend
cannot
handle Smartcard authentication, trying local Smartcard
authentication.
Which looks good, but p11_child.log shows: (Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [read_certs] (0x4000): found
cert[a001329][/DC=com/DC=example/DC=ad/OU=People/CN=a001329]
(Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [read_certs] (0x4000): found
cert[adwi.adm][/DC=com/DC=example/DC=ad/OU=People/OU=People2/CN=adwi.adm]
(Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [do_card]
(0x4000):
/usr/lib64/pkcs11/opensc-pkcs11.so /usr/lib64/pkcs11/opensc-pkcs11.so identification (Instant EID IP9) identification (Instant EID IP9) 709C1B7B80A241AE 709C1B7B80A241AE. (Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [do_card]
(0x4000):
/usr/lib64/pkcs11/opensc-pkcs11.so /usr/lib64/pkcs11/opensc-pkcs11.so identification (Instant EID IP9) identification (Instant EID IP9) 709C1B7B80A241AE 709C1B7B80A241AE. (Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [do_card]
(0x4000):
uri:
pkcs11:library-description=OpenSC%20smartcard%20framework;library-manufacturer=OpenSC%20Project;library-version=0.19;slot-description=Alcor%20Micro%20AU9560%2000%2000;slot-manufacturer=Generic;slot-id=0;model=PKCS%2315;manufacturer=Gemalto;serial=2634357095419540;token=identification%20%28Instant%20EID%20IP9%29;id=%70%9c%1b%7b%80%a2%41%ae;object=a001329;type=cert.
(Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [do_card]
(0x4000):
uri:
pkcs11:library-description=OpenSC%20smartcard%20framework;library-manufacturer=OpenSC%20Project;library-version=0.19;slot-description=Alcor%20Micro%20AU9560%2000%2000;slot-manufacturer=Generic;slot-id=0;model=PKCS%2315;manufacturer=Gemalto;serial=2634357095419540;token=identification%20%28Instant%20EID%20IP9%29;id=%70%9c%1b%7b%80%a2%41%ae;object=adwi.adm;type=cert.
(Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [do_card]
(0x0010):
More than one certificate found for authentication, aborting!
And then sssd_pam.log shows: (Wed Feb 13 09:35:25 2019) [sssd[pam]] [parse_p11_child_response]
(0x1000):
No certificate found. (Wed Feb 13 09:35:25 2019) [sssd[pam]] [pam_forwarder_cert_cb]
(0x0020):
No
certificate returned, authentication failed.
I have two certs on my card, but I have a 'matchrule' in sssd.conf so
SSSD
only picks the correct one: matchrule = <SUBJECT>^CN=[ak].{6},OU=People,DC=ad,DC=example,DC=com$
This does not seem to work offline? Even so, should I not then get to choose which certificate to use in GDM?
This bugzilla (created by me for RHEL7.6) might be relevant, since
borth
my
certs have the same ID. https://bugzilla.redhat.com/show_bug.cgi?id=1631410
Yes, you are right this is related. The certificate objects on the Smartcard only differ in the label ('a001329', 'adwi.adm') but
currently
SSSD only use the ID for the selection. So I have to add the label for the selection as well.
But this would be the same for online authentication. So I wonder if
one
of the certificates is invalid according to OCSP or if you disabled verification completely for the test?
bye, Sumit
Thank you!
//Adam
Den ons 13 feb. 2019 kl 09:05 skrev Sumit Bose sbose@redhat.com:
On Wed, Feb 13, 2019 at 08:17:39AM +0100, Winberg, Adam wrote: > I'm having a hard time understanding how cert mapping is
supposed to
work
> offline. Currently I have the following certmap config (this is
on
> RHEL8-beta): > > [certmap/ad.example.com/smartcard] > maprule = >
(|(userPrincipal={subject_principal})(samAccountName={subject_principal.short_name}))
> > to map the CN on the card to 'samAccountName' in AD. This works
as
long
as > I'm online (access to AD), but when I go offline (disconnect
network) the
> maprule is not working. I thought that the mapping would then
use the
sssd > cache but apparantly not - so how is smartcard login supposed to
work
> offline?
The cached data should be used in the offline case. Do your
certificates
contain the OCSP extension? If this is present SSSD will use it by default to validate the certificate which will fail if the system
is
offline. To disable OCSP you can set
certificate_verification = no_ocsp
in the [sssd] section of sssd.conf, see man sssd.conf for details.
If that's not the case feel free to send my the SSSD logs ideally
with
debug_level=9. The most important ones for the offline case would
be
sssd_pam.log and p11_child.log.
bye, Sumit
> > Regards > Adam
> _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to
sssd-users-leave@lists.fedorahosted.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to
sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to
sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to
sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users@lists.fedorahosted.org