Bug 1442703

Summary: Smart Cards: Certificate in the ID View
Product: Red Hat Enterprise Linux 6 Reporter: Jakub Hrozek <jhrozek>
Component: sssdAssignee: SSSD Maintainers <sssd-maint>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: medium Docs Contact: Filip Hanzelka <fhanzelk>
Priority: high    
Version: 6.9CC: atolani, cobrown, fhanzelk, fidencio, grajaiya, jhrozek, jkurik, ksiddiqu, lslebodn, mkosek, mzidek, nsoman, pbrezina, pvoborni, rpattath, sbose, sgoveas, spoore, sssd-maint, sssd-qe, tscherf
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.13.3-60.el6 Doc Type: Bug Fix
Doc Text:
AD users can now log into IdM using smart card authentication Previously, it was not possible to add smart card certificates as one of the override attributes for an Active Directory (AD) user in a trust between Identity Management (IdM) and AD. Consequently, an AD user from a trusted domain was unable to log into a host in the IdM domain using a smart card. With this update, the *System Security Services Daemon* (SSSD) can look up certificates in override objects in ID views of AD users. As a result, AD users can now log into IdM-managed machines with a smart card provided the smart card certificate is stored in ID overrides in the IdM domain.
 Story Points: ---
Clone Of: 1290378 Environment:
Last Closed: 2018-06-19 05:13:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1290378    
Bug Blocks: 1461138, 1504542    

Comment 3 Jakub Hrozek 2017-04-19 19:31:39 UTC 
master:
    9c88f837ffacf6548c13825589b327de1a5525f3
    1a45124f3f300f9afdcb08eab0938e5e7d0534d9
    21513e51a4a2eb08f245333bf8f223713a3d7cb3
    2f90ec2e16f0c14c789d9ed20e008e3103337210
    8822520e6552bbf5ad1b62a4f88dd31a9c8475f1
    ffe2522a208cddd415d7c3498dcc73ffda863b6f
    cf89f552f06b95bd69d8c61aaa55a330a5d9f6e6
    dc936929c01647c0fc116a112cee200156328037
    a1210c8db81a1cc0b45eb62a8450abcdea3afc7b
    cdc3e9dc42e13f01d8e2623e92dd046a5bb169f1
    6cb34580ee6e9e2c9190b77b10db8a3c43e3c9c8
    6cdeb0923c16e3fafe21aaadca6dac1d71474c31
Comment 15 Lukas Slebodnik 2018-02-21 10:40:59 UTC 
sssd-1-13:
* 9d1397219374531e7f2a3188ea6aa9f86ca35f9e
* 81f9af96065eb94ed0a9e6ef2b759761406b4b81
* f13505ce5632822e093982ca3bbf94f327d59a34
* ae124b2a2f93942d87c615703cde10b2fa39c258
* 2b527257a6d80648671a309e003a88b1cf482eae
* 35f9936d892fe0bda51ebc1db3c1a47e7d1a495f
* 377786542b19ad4227f7447a0995ac5be8bf4a54
* b7f2686bde219ae2ddd9398901a4b3e9cdde2ab1
* 28fbcec499b12d3032590182adf8b09a60f518f1
* e2d9254cf24be128f8593b5629a6ed3ad95bc4e6
* 95b7cee1fb67b4f2da4c5a8345ccfbb0a2de8755
* aec447a206a34909a0becd6098d12b268270a4c3

+ there will be patch from https://github.com/SSSD/sssd/pull/488
Comment 18 Lukas Slebodnik 2018-02-27 13:06:40 UTC 
Additional patches have just landed in upstream

sssd-1-13:
* 5d2e7c3154ab4b7e2123b3418debf2e5359a0917
* a02baf4dac81278a597b0f5df66a3df3e3d5a2ca
* 448cbbfa0284ecd88a9a8f900aa406fcd9d6fb1d
Comment 19 Fabiano FidĂȘncio 2018-02-27 16:27:12 UTC 
As new patches landed to sssd-1-13 branch, I've done a new build including those, thus changing the "Fixed in version" field and moving it back to ON_QA.
Comment 21 Scott Poore 2018-03-14 00:13:06 UTC 
Verified

Version ::

sssd-1.13.3-60.el6.x86_64


Results ::

IPA Server with trust setup with RHEL7.5 with ipa advise script run and certs installed in /etc/pki/nssdb and in the kerberos pkinit anchor pool file (via ipa-cacert-manage).

For the smart card testing I used a test CAC card.

No mapping/cert in AD:

# ldapsearch -o ldif-wrap=no -xLLL \
>     -D "$AD_ADMIN" -w Secret123 \
>     -h $AD_SERVER \
>     -b "cn=Users,$AD_BASEDN" \
>     "sAMAccountName=adcacuser1" \
>     altSecurityIdentities userCertificate
dn: CN=adcac user1,CN=Users,DC=ipaadcs12r2,DC=test

Add ID View User Override with certificate:

# ipa idoverrideuser-show 'Default Trust View' adcacuser1
  Anchor to override: adcacuser1
  Certificate: MIIFFT...

CAC Card cert is appropriately matched to the ID View User Override:

# ipa certmap-match cac_card_piv.crt
--------------
1 user matched
--------------
  Domain: ipaadcs12r2.test
  User logins: adcacuser1
----------------------------
Number of entries returned 1
----------------------------

########### Client is setup as IPA Client and has Smart Card configurations set

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html-single/identity_management_guide/

Also did the same for /etc/pam.d/gdm.


##### sssd.conf:
# cat /etc/sssd/sssd.conf|grep -v debug_level
[domain/testrelm.test]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = testrelm.test
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ldap_tls_cacert = /etc/ipa/ca.crt
ipa_hostname = seceng-idm-1.fqdn
chpass_provider = ipa
ipa_server = _srv_, qe-blade-04.fqdn
dns_discovery_domain = testrelm.test
krb5_auth_timeout = 60

[sssd]
services = nss, sudo, pam, ssh, ifp
certificate_verification = no_ocsp
domains = testrelm.test

[nss]
homedir_substring = /home

[pam]
pam_cert_auth = True
p11_child_timeout = 60


[sudo]

[autofs]

[ssh]

[pac]

[ifp]


##### krb5.conf:
# extra pkinit files in place for other potential testing.
# only needed the one for the cert in question really.
#
# cat /etc/krb5.conf
#File modified by ipa-client-install

includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]
  default_realm = TESTRELM.TEST
  dns_lookup_realm = false
  dns_lookup_kdc = true
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes
  udp_preference_limit = 0
  pkinit_anchors = FILE:/etc/test_certs/ipaadcs12r2_ca.crt
  pkinit_anchors = FILE:/etc/test_certs/jitc-ca-31.crt
  pkinit_anchors = FILE:/etc/test_certs/jitc-ca-41.crt
  pkinit_anchors = FILE:/etc/test_certs/jitc-email-ca-31.crt
  pkinit_anchors = FILE:/etc/test_certs/jitc-email-ca-41.crt
  pkinit_anchors = FILE:/etc/test_certs/jitc-id-sw-ca-37.crt
  pkinit_anchors = FILE:/etc/test_certs/jitc-root-ca-2.crt
  pkinit_anchors = FILE:/etc/test_certs/jitc-root-ca-3.crt
  pkinit_anchors = FILE:/etc/test_certs/om-ca-32.crt
  pkinit_anchors = FILE:/etc/test_certs/om-email-ca-32.crt

[realms]
  TESTRELM.TEST = {
    kdc = qe-blade-04.fqdn:88
    master_kdc = qe-blade-04.fqdn:88
    admin_server = qe-blade-04.fqdn:749
    default_domain = testrelm.test
    pkinit_anchors = FILE:/etc/ipa/ca.crt
  }

  IPAADCS12R2.TEST = {
    pkinit_kdc_hostname = idm-qe-ipa-win7.ipaadcs12r2.test
    pkinit_eku_checking = none
  }


[domain_realm]
  .testrelm.test = TESTRELM.TEST
  testrelm.test = TESTRELM.TEST
  .idm.lab.eng.rdu.redhat.com = TESTRELM.TEST
  idm.lab.eng.rdu.redhat.com = TESTRELM.TEST
  .ipaadcs12r2.test = IPAADCS12R2.TEST
  ipaadcs12r2.test = IPAADCS12R2.TEST




########### Testing

# su - adcacuser1 -c "su - adcacuser1 -c whoami"
PIN for <LABEL FROM CARD> for user adcacuser1
adcacuser1

# ssh -I /usr/lib64/pkcs11/libcoolkeypk11.so -l adcacuser1 $(hostname) "whoami"
Enter PIN for '<LABEL FROM CARD>': 
adcacuser1

# gdm also partially tested but, not testing with a complete Desktop install so some errors occurred after authenticating with the pin.  

Mar 13 18:13:12 seceng-idm-1 pam: gdm-password: pam_sss(gdm-password:auth): authentication success; logname= uid=0 euid=0 tty=127.0.0.1:51 ruser= rhost=127.0.0.1 user=adcacuser1
Comment 26 errata-xmlrpc 2018-06-19 05:13:47 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:1877