RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1200767 - [RFE] Allow Kerberos authentication for users with certificates on smart cards (pkinit)
Summary: [RFE] Allow Kerberos authentication for users with certificates on smart card...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.0
Hardware: Unspecified
OS: Unspecified
high
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Scott Poore
Aneta Šteflová Petrová
URL:
Whiteboard:
Depends On: 1428484
Blocks: 1340711 1396494 1399979 1411852 1411858 1427497
TreeView+ depends on / blocked
 
Reported: 2015-03-11 11:10 UTC by Martin Kosek
Modified: 2020-12-11 11:47 UTC (History)
11 users (show)

Fixed In Version: ipa-4.5.0-9.el7
Doc Type: Enhancement
Doc Text:
SSSD supports obtaining a Kerberos ticket when users authenticate with a smart card The System Security Services Daemon (SSSD) now supports the Kerberos PKINIT preauthentication mechanism. When authenticating with a smart card to a desktop client system enrolled in an Identity Management (IdM) domain, users receive a valid Kerberos ticket-granting ticket (TGT) if the authentication was successful. Users can then use the TGT for further single sign-on (SSO) authentication from the client system. For details, see https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/sc-pkinit-auth.html.
Clone Of:
: 1427497 (view as bug list)
Environment:
Last Closed: 2017-08-01 09:37:23 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2304 0 normal SHIPPED_LIVE ipa bug fix and enhancement update 2017-08-01 12:41:35 UTC

Description Martin Kosek 2015-03-11 11:10:13 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/4905

This requirement has several parts:

* Support of Smart Cards in SSSD ([https://fedorahosted.org/sssd/ticket/546 upstream ticket])
* API/CLI for configuring the trusted CA certificate in KDC (related - #616)
* Optionally, also #521 (Add dogtag support to generate KDC certificatesfor Pkinit)
Comment 1 Martin Kosek 2015-06-04 11:54:43 UTC 
The current development status of this feature was discussed and it's scope will be limited for the first release. SC authentication will be LDAP-based (details in https://bugzilla.redhat.com/show_bug.cgi?id=854396#c6).

Kerberos authentication or automatic retrieval of user TGT after authentication (pkinit) will be postponed, given the functionality currently requires special certificate extension (id-pkinit-san) in order to properly map certificates and (user) principals. This is not guaranteed with the primary supported cards (CAC), so we would first need to work on extending our Kerberos backend to provide the mapping ourselves.
Comment 4 David Kupka 2017-03-27 07:54:51 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/da880decfedc66f9d0d2734dcb86c23a8866f603
https://pagure.io/freeipa/c/c4156041feb9c48598427ad59e43313b9c7327bb
ipa-4-5:
https://pagure.io/freeipa/c/cfaaf4e821338dbc146dd49d3c22978165d2e329
https://pagure.io/freeipa/c/5a1ce1fbaa6c7a85bd1bee2a70b8b22509ede7c7
Comment 5 Petr Vobornik 2017-03-28 12:27:22 UTC 
Note that the RFE is implemented, it works with new installs but there are still bugs in upgrades, which have to be fixed. But let's put these patches to current build to allow early testing of at least this.
Comment 6 Jan Cholasta 2017-03-28 14:05:36 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/2dda1acf44dc96e660e81baadee9c3a54bf05eb0
ipa-4-5:
https://pagure.io/freeipa/c/2d246000ef2d715fab464b8ef71fdb3731da127e
Comment 8 Jan Cholasta 2017-04-26 13:41:24 UTC 
We need to bump Requires on krb5 to 1.15.1-4 which resolves bug 1428484, moving back to ASSIGNED.
Comment 9 Martin Babinsky 2017-04-27 07:19:54 UTC 
Fixed upstream

master:
https://pagure.io/freeipa/c/0f42670afa935801c25bc66f733a8d1b90ea5a0b

ipa-4-5:
https://pagure.io/freeipa/c/ec3a2a6063beb4ec96796b66abb82476a5c7bd0f
Comment 12 Scott Poore 2017-05-08 18:07:10 UTC 
Verified.

Version ::
ipa-client-4.5.0-8.el7.x86_64
sssd-1.15.2-17.el7.x86_64

Results ::

### First the options for enabling/disabling anonymous pkinit support
### Also shows anonymous pkinit working

[root@dhcp129-184 ~]# ipa pkinit-anonymous enable

[root@dhcp129-184 ~]# kdestroy -A

[root@dhcp129-184 ~]# kinit -n

[root@dhcp129-184 ~]# ARMOR_CCACHE=$(klist|grep cache:|cut -d' ' -f3-)

[root@dhcp129-184 ~]# kinit -T $ARMOR_CCACHE admin
Password for admin: 

[root@dhcp129-184 ~]# ipa pkinit-anonymous disable

[root@dhcp129-184 ~]# kdestroy -A

### Also, to be thorough, a test with kinit using the smart card:

[root@dhcp129-184 ~]# kinit -X X509_user_identity=PKCS11:module_name=/usr/lib64/opensc-pkcs11.so demosc1
demosc1 (OpenSC Card)            PIN: 

[root@dhcp129-184 ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_7XZIAfK
Default principal: demosc1

Valid starting       Expires              Service principal
05/08/2017 12:06:24  05/09/2017 12:06:19  krbtgt/TESTRELM.TEST


[root@dhcp129-184 ~]# kinit -n
kinit: Client's credentials have been revoked while getting initial credentials

[root@dhcp129-184 ~]# kinit admin
Password for admin: 


### Now showing that we get a kerberos ticket when logging in using a smart card
### This example uses SU but, we saw the same behavior work with GDM logins

### First I setup users with and without certs.  the certs were generated by IPA.  The Smart Card had the users key and cert added manually with pkcs15-* commands.
### scuser107 does not have cert or certmapdata added
### demosc1 has both cert and certmapdata
### demosc2 has certmapdata only

[root@dhcp129-184 ~]# ipa user-show demosc1 |sed 's/MII.*$/MII.../'
  User login: demosc1
  First name: demosc
  Last name: demosc1
  Home directory: /home/demosc1
  Login shell: /bin/sh
  Principal name: demosc1
  Principal alias: demosc1
  Email address: demosc1
  UID: 576400131
  GID: 576400131
  Certificate: MII...
  Certificate mapping data: X509:<I>O=TESTRELM.TEST,CN=Certificate Authority<S>O=TESTRELM.TEST,CN=demosc1
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

[root@dhcp129-184 ~]# ipa user-show demosc2 |sed 's/MII.*$/MII.../'
  User login: demosc2
  First name: demosc2
  Last name: demosc2
  Home directory: /home/demosc2
  Login shell: /bin/sh
  Principal name: demosc2
  Principal alias: demosc2
  Email address: demosc2
  UID: 576400132
  GID: 576400132
  Certificate mapping data: X509:<I>O=TESTRELM.TEST,CN=Certificate Authority<S>O=TESTRELM.TEST,CN=demosc1
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

[root@dhcp129-184 ~]# ipa user-show scuser107 |sed 's/MII.*$/MII.../'
  User login: scuser107
  First name: f
  Last name: l
  Home directory: /home/scuser107
  Login shell: /bin/sh
  Principal name: scuser107
  Principal alias: scuser107
  Email address: scuser107
  UID: 576400135
  GID: 576400135
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

[root@dhcp129-184 ~]# ipa certmaprule-find combined
-------------------------------------------
1 Certificate Identity Mapping Rule matched
-------------------------------------------
  Rule name: combined
  Mapping rule: (|(userCertificate;binary={cert!bin})(ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>{subject_dn!nss_x500}))
  Matching rule: <ISSUER>CN=Certificate Authority,O=TESTRELM.TEST
  Enabled: TRUE
----------------------------
Number of entries returned 1
----------------------------

####################################################################
### Now the test showing su ask for pin and getting kerberos ticket
####################################################################

[root@dhcp129-184 ~]# su - demosc1 -c 'kdestroy -A'

[root@dhcp129-184 ~]# su - demosc1 -c klist
klist: Credentials cache keyring 'persistent:576400131:krb_ccache_Yova6yX' not found

[root@dhcp129-184 ~]# su - scuser107 
Last login: Mon May  8 11:56:17 MDT 2017 on pts/0

-sh-4.2$ whoami
scuser107

-sh-4.2$ su - demosc1 -c 'klist'
PIN for demosc1 (OpenSC Card) for user demosc1
Ticket cache: KEYRING:persistent:576400131:krb_ccache_ndRgXGh
Default principal: demosc1

Valid starting       Expires              Service principal
05/08/2017 11:57:34  05/09/2017 11:57:32  krbtgt/TESTRELM.TEST

### Then as second user with certmapdata:

[root@dhcp129-184 ~]# su - demosc2 -c 'kdestroy -A'

[root@dhcp129-184 ~]# su - demosc2 -c 'klist'
klist: Credentials cache keyring 'persistent:576400132:krb_ccache_ZAnYcCH' not found

[root@dhcp129-184 ~]# su - scuser107 
Last login: Mon May  8 11:57:11 MDT 2017 on pts/0

-sh-4.2$ whoami
scuser107

-sh-4.2$ su - demosc2 -c 'klist'
PIN for demosc1 (OpenSC Card) for user demosc2
Ticket cache: KEYRING:persistent:576400132:krb_ccache_9Or3NnY
Default principal: demosc2

Valid starting       Expires              Service principal
05/08/2017 11:59:07  05/09/2017 11:59:05  krbtgt/TESTRELM.TEST
Comment 15 Martin Kosek 2017-05-26 09:39:35 UTC 
Please note that Red Hat officially released public RHEL-7.4 Beta this week, as announced here:
https://www.redhat.com/en/about/blog/red-hat-enterprise-linux-74-beta-now-available

The new RHEL-7.4 release includes a lot of new IdM functionality, including this RFE. Highlights can be found in RHEL-7.4 Release Notes, especially in the Authentication & Interoperability chapter:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7-Beta/html/7.4_Release_Notes/new_features_authentication_and_interoperability.html

IdM Engineering team would like to encourage everyone interested in this new functionality (and especially customers or community members requesting it) to try Beta and provide us with your feedback!
Comment 16 errata-xmlrpc 2017-08-01 09:37:23 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304
Note You need to log in before you can comment on or make changes to this bug.