Bug 1507614

Summary: Improve Smartcard integration if multiple certificates or multiple mapped identities are available
Product: Red Hat Enterprise Linux 7 Reporter: Sumit Bose <sbose>
Component: sssdAssignee: SSSD Maintainers <sssd-maint>
Status: CLOSED ERRATA QA Contact: Scott Poore <spoore>
Severity: high Docs Contact:
Priority: urgent    
Version: 7.3CC: desktop-qa-list, dpal, enewland, fidencio, grajaiya, jhrozek, lslebodn, mkosek, mzidek, orion, pbrezina, peter.magnusson, rpattath, rstrode, sgoveas, spoore, timbaldridge, tpelka, tscherf
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.16.0-5.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1413900 Environment:
Last Closed: 2018-04-10 17:18:11 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1413900, 1512213    
Bug Blocks:    

Description Sumit Bose 2017-10-30 17:45:28 UTC 
+++ This bug was initially created as a clone of Bug #1413900 +++

Description of problem:

Currently GDM Smartcard integration works great if the Smartcard contains only one certificate valid for authentication which is mapped to a single user.

But there are valid use cases where either multiple certificates valid for authentication are on the Smartcard or where a single certificate is mapped to multiple users. Please see https://fedorahosted.org/sssd/wiki/DesignDocs/SmartcardsAndMultipleIdentities for details.

While it would be possible for SSSD to handle the needed prompting it would imo improve the user experience if GDM can handle some of the prompting in a more appealing way.
Comment 1 Sumit Bose 2017-10-30 17:52:48 UTC 
This is the ticket for the SSSD part of this feature which can drive the new GDM conversation type.

The new location of the original design page is https://docs.pagure.org/SSSD.sssd/design_pages/smartcards_and_multiple_identities.html. Since this pages describes some feature which are already fixed by https://pagure.io/SSSD/sssd/issue/3050 I will add a new page which is focused on Smartcards with multiple certificates.
Comment 2 Sumit Bose 2017-10-31 17:30:54 UTC 
Upstream ticket:
https://pagure.io/SSSD/sssd/issue/3560
Comment 3 Lukas Slebodnik 2017-11-13 15:44:03 UTC 
master:
* 57cefea8305a57c1c0491afb739813b7f17d5a25
* 177ab84f0e336b75289a3ac0b2df25bd5ab5198b
* 08d1f8c0d6eece6a48201d7f8824b282eac3458d
* fd6f4047b58686bd4057c9859c3c804a77b136d8
* 06c2300353faf3983e38fecb1d6afe1f6cc8fe32
* 0a8024af282b271ad2185f68703d9f4e766d2bdc
* 122830e67472390b41edc73f0cfcd5c5705b726b
* 0bdd8800c16f39b8fe308d20694ad905c669dff3
* 39fd336e4390ece3a8465714735ef4203f329e54
Comment 5 Scott Poore 2017-11-15 03:38:50 UTC 
Verified.

Version ::

sssd-1.16.0-5.el7.x86_64

Results ::

IPA Server and Client setup with RHEL7.5 images. 

ipa-advise scripts used to setup client and server:

ipa-advise config-server-for-smart-card-auth > setup_server.sh

ipa-advise config-client-for-smart-card-auth > setup_client.sh

# On Server:

sh /root/setup_server.sh root_ca.crt issuing_ca.crt

scp /root/setup_client.sh root@client:/root

# On Client:

sh /root/setup_client.sh root_ca.crt issuing_ca.crt

vim /etc/sssd/sssd.conf
# In [domain/<domainname>] section add:
krb5_auth_timeout = 60

# In [sssd] section add:
certificate_verification = no_ocsp
# We can also specify the ocsp config if needed. Or leave this out if the cert
# includes the correct address for the OCSP.

# In [pam] section add:
p11_child_timeout = 60

systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; sleep 1; systemctl start sssd

yum groupinstall "Server with GUI"

reboot

# On Server

setup certmap rules:

[root@ipaserver ~]# ipa certmaprule-find
--------------------------------------------
2 Certificate Identity Mapping Rules matched
--------------------------------------------
  Rule name: jitc_email_ca_41
  Mapping rule: (|(userCertificate;binary={cert!bin})(ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>{subject_dn!nss_x500})(altSecurityIdentities=X509:<I>{issuer_dn!ad_x500}<S>{subject_dn!ad_x500}))
  Matching rule: <ISSUER>CN=DOD JITC EMAIL CA-41,OU=PKI,OU=DoD,O=U.S. Government,C=US
  Domain name: ipa.test, ad.test
  Enabled: TRUE

  Rule name: jitc_id_ca_41
  Mapping rule: (|(userCertificate;binary={cert!bin})(ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>{subject_dn!nss_x500})(altSecurityIdentities=X509:<I>{issuer_dn!ad_x500}<S>{subject_dn!ad_x500}))
  Matching rule: <ISSUER>CN=DOD JITC ID CA-41,OU=PKI,OU=DoD,O=U.S. Government,C=US
  Domain name: ipa.test, ad.test
  Enabled: TRUE
----------------------------
Number of entries returned 2
----------------------------


and add to user data:

[root@ipaserver ~]# ipa user-show ipauser1
  User login: ipauser1
  First name: user
  Last name: one
  Home directory: /home/ipauser1
  Login shell: /bin/sh
  Principal name: ipauser1
  Principal alias: ipauser1
  Email address: ipauser1
  UID: 1315200001
  GID: 1315200001
  Certificate mapping data: X509:<I>C=US,O=U.S. Government,OU=DoD,OU=PKI,CN=DOD JITC EMAIL
                            CA-41<S>C=US,O=U.S.
                            Government,OU=DoD,OU=PKI,OU=NOAA,CN=blahblah...
                            X509:<I>C=US,O=U.S. Government,OU=DoD,OU=PKI,CN=DOD JITC ID
                            CA-41<S>C=US,O=U.S.
                            Government,OU=DoD,OU=PKI,OU=NOAA,CN=blahblah....
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True


# Reset sssd and reboot client again to make sure gdm has all updates
# share usb card reader to client
# insert card
# on the cac card I'm using it has 3 certs that should be visible.  
# All three are visisble with similar output on gdm login screen:

[1]:
Certificate for Key Management
CN=blahblah...

[2]:
Certificate for Digital Signature
CN=blahblah...

[3]:
Certificate for PIC Authentication
CN=blahblah...
Comment 6 Scott Poore 2017-11-15 14:12:49 UTC 
Also, more info on verification of this one:

[root@ipaclient ~]# su - ipauser1 -c "su - ipauser1 -c klist"
Please select a certificate by typing the corresponding number

[1]:
Certificate for Key Management
CN=blahblah...

[2]:
Certificate for Digital Signature
CN=blahblah...

[3]:
Certificate for PIV Authentication
CN=blahblah...
3  <<< This is what I entered <<<
Certificate ‘01’ selected
PIN for blahblah
Ticket cache: KEYRING:persistent:1315200001:krb_ccache_O1YMAQX
Default principal: ipauser1

Valid starting       Expires              Service principal
11/15/2017 08:09:43  11/16/2017 08:09:36  krbtgt/IPA.TEST
Comment 9 errata-xmlrpc 2018-04-10 17:18:11 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:0929