RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1405075 - [RFE] Add PKINIT support to SSSD Kerberos provider
Summary: [RFE] Add PKINIT support to SSSD Kerberos provider
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.3
Hardware: Unspecified
OS: Unspecified
high
unspecified
Target Milestone: rc
: ---
Assignee: SSSD Maintainers
QA Contact: Scott Poore
Aneta Šteflová Petrová
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-12-15 14:19 UTC by Sumit Bose
Modified: 2020-06-11 13:08 UTC (History)
12 users (show)

Fixed In Version: sssd-1.15.1-1.el7
Doc Type: Enhancement
Doc Text:
See doc text in https://bugzilla.redhat.com/show_bug.cgi?id=1200767
Clone Of:
Environment:
Last Closed: 2017-08-01 09:02:33 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 4303 0 None closed [RFE] Add PKINIT support to SSSD Kerberos proivder 2020-05-15 15:34:59 UTC
Red Hat Product Errata RHEA-2017:2294 0 normal SHIPPED_LIVE sssd bug fix and enhancement update 2017-08-01 12:39:55 UTC

Description Sumit Bose 2016-12-15 14:19:25 UTC 
This is the client side ticket for the FreeIPA/IdM ticket https://bugzilla.redhat.com/show_bug.cgi?id=1200767.

SSSD should be able to determine if pkinit is available for the user and prompt for a Smartcard PIN if pkinit is available and a Smartcard is inserted or if only pkinit if available for authentication.
Comment 1 Jakub Hrozek 2016-12-15 15:25:14 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/3270
Comment 2 Hristo Venev 2017-01-03 23:14:18 UTC 
Does this block https://bugzilla.redhat.com/show_bug.cgi?id=998545 ?
Comment 3 Sumit Bose 2017-01-04 09:06:05 UTC 
(In reply to Hristo Venev from comment #2)
> Does this block https://bugzilla.redhat.com/show_bug.cgi?id=998545 ?

No, not in general. PKINIT is only needed if you have a Kerberos infrastructure which can handle PKINIT.

Smartcard authentication to the local system without getting a Kerberos ticket is currently already available in Fedora/RHEL for users managed by LDAP, AD or FreeIPA. Unfortunately SSSD can currently not handle Smartcard authentication for local user from /etc/passwd, but this is planned for the next release.
Comment 5 Jakub Hrozek 2017-02-23 10:03:24 UTC 
master:
    2d527aa
    52f4583
    ead25e3
    82c5971
    dd17a3a
    f70d946
    d475744
    254f389
    327a166
    f561c2b
Comment 6 Jakub Hrozek 2017-02-23 10:03:52 UTC 
Can we get a qa_ack, please?
Comment 8 Sumit Bose 2017-05-05 18:49:36 UTC 
Hi Aneta,

it was mentioned in 
https://bugzilla.redhat.com/show_bug.cgi?id=1448236 that the changes to krb5.conf described in https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/smartcards.html should be mentioned for this SSSD feature as well. The important options for the SSSD feature are pkinit_anchors and in some cases pkinit_kdc_hostname (this is typically needed when using AD). pkinit_cert_match should net be used because this will be set by SSSD.

I'm setting needinfo so that you can set the doc related options accordingly.
Comment 9 Scott Poore 2017-05-08 18:07:28 UTC 
Verified.  Using same as bug #1200767

Version ::
ipa-client-4.5.0-8.el7.x86_64
sssd-1.15.2-17.el7.x86_64

Results ::

### First I setup users with and without certs.  the certs were generated by IPA.  The Smart Card had the users key and cert added manually with pkcs15-* commands.
### scuser107 does not have cert or certmapdata added
### demosc1 has both cert and certmapdata
### demosc2 has certmapdata only

[root@dhcp129-184 ~]# ipa user-show demosc1 |sed 's/MII.*$/MII.../'
  User login: demosc1
  First name: demosc
  Last name: demosc1
  Home directory: /home/demosc1
  Login shell: /bin/sh
  Principal name: demosc1
  Principal alias: demosc1
  Email address: demosc1
  UID: 576400131
  GID: 576400131
  Certificate: MII...
  Certificate mapping data: X509:<I>O=TESTRELM.TEST,CN=Certificate Authority<S>O=TESTRELM.TEST,CN=demosc1
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

[root@dhcp129-184 ~]# ipa user-show demosc2 |sed 's/MII.*$/MII.../'
  User login: demosc2
  First name: demosc2
  Last name: demosc2
  Home directory: /home/demosc2
  Login shell: /bin/sh
  Principal name: demosc2
  Principal alias: demosc2
  Email address: demosc2
  UID: 576400132
  GID: 576400132
  Certificate mapping data: X509:<I>O=TESTRELM.TEST,CN=Certificate Authority<S>O=TESTRELM.TEST,CN=demosc1
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

[root@dhcp129-184 ~]# ipa user-show scuser107 |sed 's/MII.*$/MII.../'
  User login: scuser107
  First name: f
  Last name: l
  Home directory: /home/scuser107
  Login shell: /bin/sh
  Principal name: scuser107
  Principal alias: scuser107
  Email address: scuser107
  UID: 576400135
  GID: 576400135
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

[root@dhcp129-184 ~]# ipa certmaprule-find combined
-------------------------------------------
1 Certificate Identity Mapping Rule matched
-------------------------------------------
  Rule name: combined
  Mapping rule: (|(userCertificate;binary={cert!bin})(ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>{subject_dn!nss_x500}))
  Matching rule: <ISSUER>CN=Certificate Authority,O=TESTRELM.TEST
  Enabled: TRUE
----------------------------
Number of entries returned 1
----------------------------

####################################################################
### Now the test showing su ask for pin and getting kerberos ticket
####################################################################

[root@dhcp129-184 ~]# su - demosc1 -c 'kdestroy -A'

[root@dhcp129-184 ~]# su - demosc1 -c klist
klist: Credentials cache keyring 'persistent:576400131:krb_ccache_Yova6yX' not found

[root@dhcp129-184 ~]# su - scuser107 
Last login: Mon May  8 11:56:17 MDT 2017 on pts/0

-sh-4.2$ whoami
scuser107

-sh-4.2$ su - demosc1 -c 'klist'
PIN for demosc1 (OpenSC Card) for user demosc1
Ticket cache: KEYRING:persistent:576400131:krb_ccache_ndRgXGh
Default principal: demosc1

Valid starting       Expires              Service principal
05/08/2017 11:57:34  05/09/2017 11:57:32  krbtgt/TESTRELM.TEST

### Then as second user with certmapdata:

[root@dhcp129-184 ~]# su - demosc2 -c 'kdestroy -A'

[root@dhcp129-184 ~]# su - demosc2 -c 'klist'
klist: Credentials cache keyring 'persistent:576400132:krb_ccache_ZAnYcCH' not found

[root@dhcp129-184 ~]# su - scuser107 
Last login: Mon May  8 11:57:11 MDT 2017 on pts/0

-sh-4.2$ whoami
scuser107

-sh-4.2$ su - demosc2 -c 'klist'
PIN for demosc1 (OpenSC Card) for user demosc2
Ticket cache: KEYRING:persistent:576400132:krb_ccache_9Or3NnY
Default principal: demosc2

Valid starting       Expires              Service principal
05/08/2017 11:59:07  05/09/2017 11:59:05  krbtgt/TESTRELM.TEST
Comment 13 Martin Kosek 2017-05-26 09:40:13 UTC 
Please note that Red Hat officially released public RHEL-7.4 Beta this week, as announced here:
https://www.redhat.com/en/about/blog/red-hat-enterprise-linux-74-beta-now-available

The new RHEL-7.4 release includes a lot of new IdM functionality, including this RFE. Highlights can be found in RHEL-7.4 Release Notes, especially in the Authentication & Interoperability chapter:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7-Beta/html/7.4_Release_Notes/new_features_authentication_and_interoperability.html

IdM Engineering team would like to encourage everyone interested in this new functionality (and especially customers or community members requesting it) to try Beta and provide us with your feedback!
Comment 14 errata-xmlrpc 2017-08-01 09:02:33 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:2294
Note You need to log in before you can comment on or make changes to this bug.