Bug 1507614
Summary: | Improve Smartcard integration if multiple certificates or multiple mapped identities are available | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Sumit Bose <sbose> |
Component: | sssd | Assignee: | SSSD Maintainers <sssd-maint> |
Status: | CLOSED ERRATA | QA Contact: | Scott Poore <spoore> |
Severity: | high | Docs Contact: | |
Priority: | urgent | ||
Version: | 7.3 | CC: | desktop-qa-list, dpal, enewland, fidencio, grajaiya, jhrozek, lslebodn, mkosek, mzidek, orion, pbrezina, peter.magnusson, rpattath, rstrode, sgoveas, spoore, timbaldridge, tpelka, tscherf |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | sssd-1.16.0-5.el7 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | 1413900 | Environment: | |
Last Closed: | 2018-04-10 17:18:11 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1413900, 1512213 | ||
Bug Blocks: |
Description
Sumit Bose
2017-10-30 17:45:28 UTC
This is the ticket for the SSSD part of this feature which can drive the new GDM conversation type. The new location of the original design page is https://docs.pagure.org/SSSD.sssd/design_pages/smartcards_and_multiple_identities.html. Since this pages describes some feature which are already fixed by https://pagure.io/SSSD/sssd/issue/3050 I will add a new page which is focused on Smartcards with multiple certificates. Upstream ticket: https://pagure.io/SSSD/sssd/issue/3560 master: * 57cefea8305a57c1c0491afb739813b7f17d5a25 * 177ab84f0e336b75289a3ac0b2df25bd5ab5198b * 08d1f8c0d6eece6a48201d7f8824b282eac3458d * fd6f4047b58686bd4057c9859c3c804a77b136d8 * 06c2300353faf3983e38fecb1d6afe1f6cc8fe32 * 0a8024af282b271ad2185f68703d9f4e766d2bdc * 122830e67472390b41edc73f0cfcd5c5705b726b * 0bdd8800c16f39b8fe308d20694ad905c669dff3 * 39fd336e4390ece3a8465714735ef4203f329e54 Verified. Version :: sssd-1.16.0-5.el7.x86_64 Results :: IPA Server and Client setup with RHEL7.5 images. ipa-advise scripts used to setup client and server: ipa-advise config-server-for-smart-card-auth > setup_server.sh ipa-advise config-client-for-smart-card-auth > setup_client.sh # On Server: sh /root/setup_server.sh root_ca.crt issuing_ca.crt scp /root/setup_client.sh root@client:/root # On Client: sh /root/setup_client.sh root_ca.crt issuing_ca.crt vim /etc/sssd/sssd.conf # In [domain/<domainname>] section add: krb5_auth_timeout = 60 # In [sssd] section add: certificate_verification = no_ocsp # We can also specify the ocsp config if needed. Or leave this out if the cert # includes the correct address for the OCSP. # In [pam] section add: p11_child_timeout = 60 systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; sleep 1; systemctl start sssd yum groupinstall "Server with GUI" reboot # On Server setup certmap rules: [root@ipaserver ~]# ipa certmaprule-find -------------------------------------------- 2 Certificate Identity Mapping Rules matched -------------------------------------------- Rule name: jitc_email_ca_41 Mapping rule: (|(userCertificate;binary={cert!bin})(ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>{subject_dn!nss_x500})(altSecurityIdentities=X509:<I>{issuer_dn!ad_x500}<S>{subject_dn!ad_x500})) Matching rule: <ISSUER>CN=DOD JITC EMAIL CA-41,OU=PKI,OU=DoD,O=U.S. Government,C=US Domain name: ipa.test, ad.test Enabled: TRUE Rule name: jitc_id_ca_41 Mapping rule: (|(userCertificate;binary={cert!bin})(ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>{subject_dn!nss_x500})(altSecurityIdentities=X509:<I>{issuer_dn!ad_x500}<S>{subject_dn!ad_x500})) Matching rule: <ISSUER>CN=DOD JITC ID CA-41,OU=PKI,OU=DoD,O=U.S. Government,C=US Domain name: ipa.test, ad.test Enabled: TRUE ---------------------------- Number of entries returned 2 ---------------------------- and add to user data: [root@ipaserver ~]# ipa user-show ipauser1 User login: ipauser1 First name: user Last name: one Home directory: /home/ipauser1 Login shell: /bin/sh Principal name: ipauser1 Principal alias: ipauser1 Email address: ipauser1 UID: 1315200001 GID: 1315200001 Certificate mapping data: X509:<I>C=US,O=U.S. Government,OU=DoD,OU=PKI,CN=DOD JITC EMAIL CA-41<S>C=US,O=U.S. Government,OU=DoD,OU=PKI,OU=NOAA,CN=blahblah... X509:<I>C=US,O=U.S. Government,OU=DoD,OU=PKI,CN=DOD JITC ID CA-41<S>C=US,O=U.S. Government,OU=DoD,OU=PKI,OU=NOAA,CN=blahblah.... Account disabled: False Password: True Member of groups: ipausers Kerberos keys available: True # Reset sssd and reboot client again to make sure gdm has all updates # share usb card reader to client # insert card # on the cac card I'm using it has 3 certs that should be visible. # All three are visisble with similar output on gdm login screen: [1]: Certificate for Key Management CN=blahblah... [2]: Certificate for Digital Signature CN=blahblah... [3]: Certificate for PIC Authentication CN=blahblah... Also, more info on verification of this one: [root@ipaclient ~]# su - ipauser1 -c "su - ipauser1 -c klist" Please select a certificate by typing the corresponding number [1]: Certificate for Key Management CN=blahblah... [2]: Certificate for Digital Signature CN=blahblah... [3]: Certificate for PIV Authentication CN=blahblah... 3 <<< This is what I entered <<< Certificate ‘01’ selected PIN for blahblah Ticket cache: KEYRING:persistent:1315200001:krb_ccache_O1YMAQX Default principal: ipauser1 Valid starting Expires Service principal 11/15/2017 08:09:43 11/16/2017 08:09:36 krbtgt/IPA.TEST Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2018:0929 |