Bug 1442703
Summary: | Smart Cards: Certificate in the ID View | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Jakub Hrozek <jhrozek> |
Component: | sssd | Assignee: | SSSD Maintainers <sssd-maint> |
Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> |
Severity: | medium | Docs Contact: | Filip Hanzelka <fhanzelk> |
Priority: | high | ||
Version: | 6.9 | CC: | atolani, cobrown, fhanzelk, fidencio, grajaiya, jhrozek, jkurik, ksiddiqu, lslebodn, mkosek, mzidek, nsoman, pbrezina, pvoborni, rpattath, sbose, sgoveas, spoore, sssd-maint, sssd-qe, tscherf |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | sssd-1.13.3-60.el6 | Doc Type: | Bug Fix |
Doc Text: |
AD users can now log into IdM using smart card authentication
Previously, it was not possible to add smart card certificates as one of the override attributes for an Active Directory (AD) user in a trust between Identity Management (IdM) and AD. Consequently, an AD user from a trusted domain was unable to log into a host in the IdM domain using a smart card. With this update, the *System Security Services Daemon* (SSSD) can look up certificates in override objects in ID views of AD users. As a result, AD users can now log into IdM-managed machines with a smart card provided the smart card certificate is stored in ID overrides in the IdM domain.
|
Story Points: | --- |
Clone Of: | 1290378 | Environment: | |
Last Closed: | 2018-06-19 05:13:47 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1290378 | ||
Bug Blocks: | 1461138, 1504542 |
Comment 3
Jakub Hrozek
2017-04-19 19:31:39 UTC
sssd-1-13: * 9d1397219374531e7f2a3188ea6aa9f86ca35f9e * 81f9af96065eb94ed0a9e6ef2b759761406b4b81 * f13505ce5632822e093982ca3bbf94f327d59a34 * ae124b2a2f93942d87c615703cde10b2fa39c258 * 2b527257a6d80648671a309e003a88b1cf482eae * 35f9936d892fe0bda51ebc1db3c1a47e7d1a495f * 377786542b19ad4227f7447a0995ac5be8bf4a54 * b7f2686bde219ae2ddd9398901a4b3e9cdde2ab1 * 28fbcec499b12d3032590182adf8b09a60f518f1 * e2d9254cf24be128f8593b5629a6ed3ad95bc4e6 * 95b7cee1fb67b4f2da4c5a8345ccfbb0a2de8755 * aec447a206a34909a0becd6098d12b268270a4c3 + there will be patch from https://github.com/SSSD/sssd/pull/488 Additional patches have just landed in upstream sssd-1-13: * 5d2e7c3154ab4b7e2123b3418debf2e5359a0917 * a02baf4dac81278a597b0f5df66a3df3e3d5a2ca * 448cbbfa0284ecd88a9a8f900aa406fcd9d6fb1d As new patches landed to sssd-1-13 branch, I've done a new build including those, thus changing the "Fixed in version" field and moving it back to ON_QA. Verified Version :: sssd-1.13.3-60.el6.x86_64 Results :: IPA Server with trust setup with RHEL7.5 with ipa advise script run and certs installed in /etc/pki/nssdb and in the kerberos pkinit anchor pool file (via ipa-cacert-manage). For the smart card testing I used a test CAC card. No mapping/cert in AD: # ldapsearch -o ldif-wrap=no -xLLL \ > -D "$AD_ADMIN" -w Secret123 \ > -h $AD_SERVER \ > -b "cn=Users,$AD_BASEDN" \ > "sAMAccountName=adcacuser1" \ > altSecurityIdentities userCertificate dn: CN=adcac user1,CN=Users,DC=ipaadcs12r2,DC=test Add ID View User Override with certificate: # ipa idoverrideuser-show 'Default Trust View' adcacuser1 Anchor to override: adcacuser1 Certificate: MIIFFT... CAC Card cert is appropriately matched to the ID View User Override: # ipa certmap-match cac_card_piv.crt -------------- 1 user matched -------------- Domain: ipaadcs12r2.test User logins: adcacuser1 ---------------------------- Number of entries returned 1 ---------------------------- ########### Client is setup as IPA Client and has Smart Card configurations set https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html-single/identity_management_guide/ Also did the same for /etc/pam.d/gdm. ##### sssd.conf: # cat /etc/sssd/sssd.conf|grep -v debug_level [domain/testrelm.test] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = testrelm.test id_provider = ipa auth_provider = ipa access_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt ipa_hostname = seceng-idm-1.fqdn chpass_provider = ipa ipa_server = _srv_, qe-blade-04.fqdn dns_discovery_domain = testrelm.test krb5_auth_timeout = 60 [sssd] services = nss, sudo, pam, ssh, ifp certificate_verification = no_ocsp domains = testrelm.test [nss] homedir_substring = /home [pam] pam_cert_auth = True p11_child_timeout = 60 [sudo] [autofs] [ssh] [pac] [ifp] ##### krb5.conf: # extra pkinit files in place for other potential testing. # only needed the one for the cert in question really. # # cat /etc/krb5.conf #File modified by ipa-client-install includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = TESTRELM.TEST dns_lookup_realm = false dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes udp_preference_limit = 0 pkinit_anchors = FILE:/etc/test_certs/ipaadcs12r2_ca.crt pkinit_anchors = FILE:/etc/test_certs/jitc-ca-31.crt pkinit_anchors = FILE:/etc/test_certs/jitc-ca-41.crt pkinit_anchors = FILE:/etc/test_certs/jitc-email-ca-31.crt pkinit_anchors = FILE:/etc/test_certs/jitc-email-ca-41.crt pkinit_anchors = FILE:/etc/test_certs/jitc-id-sw-ca-37.crt pkinit_anchors = FILE:/etc/test_certs/jitc-root-ca-2.crt pkinit_anchors = FILE:/etc/test_certs/jitc-root-ca-3.crt pkinit_anchors = FILE:/etc/test_certs/om-ca-32.crt pkinit_anchors = FILE:/etc/test_certs/om-email-ca-32.crt [realms] TESTRELM.TEST = { kdc = qe-blade-04.fqdn:88 master_kdc = qe-blade-04.fqdn:88 admin_server = qe-blade-04.fqdn:749 default_domain = testrelm.test pkinit_anchors = FILE:/etc/ipa/ca.crt } IPAADCS12R2.TEST = { pkinit_kdc_hostname = idm-qe-ipa-win7.ipaadcs12r2.test pkinit_eku_checking = none } [domain_realm] .testrelm.test = TESTRELM.TEST testrelm.test = TESTRELM.TEST .idm.lab.eng.rdu.redhat.com = TESTRELM.TEST idm.lab.eng.rdu.redhat.com = TESTRELM.TEST .ipaadcs12r2.test = IPAADCS12R2.TEST ipaadcs12r2.test = IPAADCS12R2.TEST ########### Testing # su - adcacuser1 -c "su - adcacuser1 -c whoami" PIN for <LABEL FROM CARD> for user adcacuser1 adcacuser1 # ssh -I /usr/lib64/pkcs11/libcoolkeypk11.so -l adcacuser1 $(hostname) "whoami" Enter PIN for '<LABEL FROM CARD>': adcacuser1 # gdm also partially tested but, not testing with a complete Desktop install so some errors occurred after authenticating with the pin. Mar 13 18:13:12 seceng-idm-1 pam: gdm-password: pam_sss(gdm-password:auth): authentication success; logname= uid=0 euid=0 tty=127.0.0.1:51 ruser= rhost=127.0.0.1 user=adcacuser1 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:1877 |