Hide Forgot
This bug is created as a clone of upstream ticket: https://fedorahosted.org/freeipa/ticket/4905 This requirement has several parts: * Support of Smart Cards in SSSD ([https://fedorahosted.org/sssd/ticket/546 upstream ticket]) * API/CLI for configuring the trusted CA certificate in KDC (related - #616) * Optionally, also #521 (Add dogtag support to generate KDC certificatesfor Pkinit)
The current development status of this feature was discussed and it's scope will be limited for the first release. SC authentication will be LDAP-based (details in https://bugzilla.redhat.com/show_bug.cgi?id=854396#c6). Kerberos authentication or automatic retrieval of user TGT after authentication (pkinit) will be postponed, given the functionality currently requires special certificate extension (id-pkinit-san) in order to properly map certificates and (user) principals. This is not guaranteed with the primary supported cards (CAC), so we would first need to work on extending our Kerberos backend to provide the mapping ourselves.
Fixed upstream master: https://pagure.io/freeipa/c/da880decfedc66f9d0d2734dcb86c23a8866f603 https://pagure.io/freeipa/c/c4156041feb9c48598427ad59e43313b9c7327bb ipa-4-5: https://pagure.io/freeipa/c/cfaaf4e821338dbc146dd49d3c22978165d2e329 https://pagure.io/freeipa/c/5a1ce1fbaa6c7a85bd1bee2a70b8b22509ede7c7
Note that the RFE is implemented, it works with new installs but there are still bugs in upgrades, which have to be fixed. But let's put these patches to current build to allow early testing of at least this.
Fixed upstream master: https://pagure.io/freeipa/c/2dda1acf44dc96e660e81baadee9c3a54bf05eb0 ipa-4-5: https://pagure.io/freeipa/c/2d246000ef2d715fab464b8ef71fdb3731da127e
We need to bump Requires on krb5 to 1.15.1-4 which resolves bug 1428484, moving back to ASSIGNED.
Fixed upstream master: https://pagure.io/freeipa/c/0f42670afa935801c25bc66f733a8d1b90ea5a0b ipa-4-5: https://pagure.io/freeipa/c/ec3a2a6063beb4ec96796b66abb82476a5c7bd0f
Verified. Version :: ipa-client-4.5.0-8.el7.x86_64 sssd-1.15.2-17.el7.x86_64 Results :: ### First the options for enabling/disabling anonymous pkinit support ### Also shows anonymous pkinit working [root@dhcp129-184 ~]# ipa pkinit-anonymous enable [root@dhcp129-184 ~]# kdestroy -A [root@dhcp129-184 ~]# kinit -n [root@dhcp129-184 ~]# ARMOR_CCACHE=$(klist|grep cache:|cut -d' ' -f3-) [root@dhcp129-184 ~]# kinit -T $ARMOR_CCACHE admin Password for admin: [root@dhcp129-184 ~]# ipa pkinit-anonymous disable [root@dhcp129-184 ~]# kdestroy -A ### Also, to be thorough, a test with kinit using the smart card: [root@dhcp129-184 ~]# kinit -X X509_user_identity=PKCS11:module_name=/usr/lib64/opensc-pkcs11.so demosc1 demosc1 (OpenSC Card) PIN: [root@dhcp129-184 ~]# klist Ticket cache: KEYRING:persistent:0:krb_ccache_7XZIAfK Default principal: demosc1 Valid starting Expires Service principal 05/08/2017 12:06:24 05/09/2017 12:06:19 krbtgt/TESTRELM.TEST [root@dhcp129-184 ~]# kinit -n kinit: Client's credentials have been revoked while getting initial credentials [root@dhcp129-184 ~]# kinit admin Password for admin: ### Now showing that we get a kerberos ticket when logging in using a smart card ### This example uses SU but, we saw the same behavior work with GDM logins ### First I setup users with and without certs. the certs were generated by IPA. The Smart Card had the users key and cert added manually with pkcs15-* commands. ### scuser107 does not have cert or certmapdata added ### demosc1 has both cert and certmapdata ### demosc2 has certmapdata only [root@dhcp129-184 ~]# ipa user-show demosc1 |sed 's/MII.*$/MII.../' User login: demosc1 First name: demosc Last name: demosc1 Home directory: /home/demosc1 Login shell: /bin/sh Principal name: demosc1 Principal alias: demosc1 Email address: demosc1 UID: 576400131 GID: 576400131 Certificate: MII... Certificate mapping data: X509:<I>O=TESTRELM.TEST,CN=Certificate Authority<S>O=TESTRELM.TEST,CN=demosc1 Account disabled: False Password: True Member of groups: ipausers Kerberos keys available: True [root@dhcp129-184 ~]# ipa user-show demosc2 |sed 's/MII.*$/MII.../' User login: demosc2 First name: demosc2 Last name: demosc2 Home directory: /home/demosc2 Login shell: /bin/sh Principal name: demosc2 Principal alias: demosc2 Email address: demosc2 UID: 576400132 GID: 576400132 Certificate mapping data: X509:<I>O=TESTRELM.TEST,CN=Certificate Authority<S>O=TESTRELM.TEST,CN=demosc1 Account disabled: False Password: True Member of groups: ipausers Kerberos keys available: True [root@dhcp129-184 ~]# ipa user-show scuser107 |sed 's/MII.*$/MII.../' User login: scuser107 First name: f Last name: l Home directory: /home/scuser107 Login shell: /bin/sh Principal name: scuser107 Principal alias: scuser107 Email address: scuser107 UID: 576400135 GID: 576400135 Account disabled: False Password: True Member of groups: ipausers Kerberos keys available: True [root@dhcp129-184 ~]# ipa certmaprule-find combined ------------------------------------------- 1 Certificate Identity Mapping Rule matched ------------------------------------------- Rule name: combined Mapping rule: (|(userCertificate;binary={cert!bin})(ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>{subject_dn!nss_x500})) Matching rule: <ISSUER>CN=Certificate Authority,O=TESTRELM.TEST Enabled: TRUE ---------------------------- Number of entries returned 1 ---------------------------- #################################################################### ### Now the test showing su ask for pin and getting kerberos ticket #################################################################### [root@dhcp129-184 ~]# su - demosc1 -c 'kdestroy -A' [root@dhcp129-184 ~]# su - demosc1 -c klist klist: Credentials cache keyring 'persistent:576400131:krb_ccache_Yova6yX' not found [root@dhcp129-184 ~]# su - scuser107 Last login: Mon May 8 11:56:17 MDT 2017 on pts/0 -sh-4.2$ whoami scuser107 -sh-4.2$ su - demosc1 -c 'klist' PIN for demosc1 (OpenSC Card) for user demosc1 Ticket cache: KEYRING:persistent:576400131:krb_ccache_ndRgXGh Default principal: demosc1 Valid starting Expires Service principal 05/08/2017 11:57:34 05/09/2017 11:57:32 krbtgt/TESTRELM.TEST ### Then as second user with certmapdata: [root@dhcp129-184 ~]# su - demosc2 -c 'kdestroy -A' [root@dhcp129-184 ~]# su - demosc2 -c 'klist' klist: Credentials cache keyring 'persistent:576400132:krb_ccache_ZAnYcCH' not found [root@dhcp129-184 ~]# su - scuser107 Last login: Mon May 8 11:57:11 MDT 2017 on pts/0 -sh-4.2$ whoami scuser107 -sh-4.2$ su - demosc2 -c 'klist' PIN for demosc1 (OpenSC Card) for user demosc2 Ticket cache: KEYRING:persistent:576400132:krb_ccache_9Or3NnY Default principal: demosc2 Valid starting Expires Service principal 05/08/2017 11:59:07 05/09/2017 11:59:05 krbtgt/TESTRELM.TEST
Please note that Red Hat officially released public RHEL-7.4 Beta this week, as announced here: https://www.redhat.com/en/about/blog/red-hat-enterprise-linux-74-beta-now-available The new RHEL-7.4 release includes a lot of new IdM functionality, including this RFE. Highlights can be found in RHEL-7.4 Release Notes, especially in the Authentication & Interoperability chapter: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7-Beta/html/7.4_Release_Notes/new_features_authentication_and_interoperability.html IdM Engineering team would like to encourage everyone interested in this new functionality (and especially customers or community members requesting it) to try Beta and provide us with your feedback!
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2304