Bug 1442703 - Smart Cards: Certificate in the ID View
Summary: Smart Cards: Certificate in the ID View
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd
Version: 6.9
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: SSSD Maintainers
QA Contact: ipa-qe
Filip Hanzelka
Depends On: 1290378
Blocks: 1461138 1504542
TreeView+ depends on / blocked
Reported: 2017-04-17 07:55 UTC by Jakub Hrozek
Modified: 2021-09-09 12:14 UTC (History)
21 users (show)

Fixed In Version: sssd-1.13.3-60.el6
Doc Type: Bug Fix
Doc Text:
AD users can now log into IdM using smart card authentication Previously, it was not possible to add smart card certificates as one of the override attributes for an Active Directory (AD) user in a trust between Identity Management (IdM) and AD. Consequently, an AD user from a trusted domain was unable to log into a host in the IdM domain using a smart card. With this update, the *System Security Services Daemon* (SSSD) can look up certificates in override objects in ID views of AD users. As a result, AD users can now log into IdM-managed machines with a smart card provided the smart card certificate is stored in ID overrides in the IdM domain.
Clone Of: 1290378
Last Closed: 2018-06-19 05:13:47 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 3938 0 None None None 2020-05-04 11:01:21 UTC
Red Hat Product Errata RHSA-2018:1877 0 None None None 2018-06-19 05:15:04 UTC

Comment 3 Jakub Hrozek 2017-04-19 19:31:39 UTC

Comment 15 Lukas Slebodnik 2018-02-21 10:40:59 UTC
* 9d1397219374531e7f2a3188ea6aa9f86ca35f9e
* 81f9af96065eb94ed0a9e6ef2b759761406b4b81
* f13505ce5632822e093982ca3bbf94f327d59a34
* ae124b2a2f93942d87c615703cde10b2fa39c258
* 2b527257a6d80648671a309e003a88b1cf482eae
* 35f9936d892fe0bda51ebc1db3c1a47e7d1a495f
* 377786542b19ad4227f7447a0995ac5be8bf4a54
* b7f2686bde219ae2ddd9398901a4b3e9cdde2ab1
* 28fbcec499b12d3032590182adf8b09a60f518f1
* e2d9254cf24be128f8593b5629a6ed3ad95bc4e6
* 95b7cee1fb67b4f2da4c5a8345ccfbb0a2de8755
* aec447a206a34909a0becd6098d12b268270a4c3

+ there will be patch from https://github.com/SSSD/sssd/pull/488

Comment 18 Lukas Slebodnik 2018-02-27 13:06:40 UTC
Additional patches have just landed in upstream

* 5d2e7c3154ab4b7e2123b3418debf2e5359a0917
* a02baf4dac81278a597b0f5df66a3df3e3d5a2ca
* 448cbbfa0284ecd88a9a8f900aa406fcd9d6fb1d

Comment 19 Fabiano Fidêncio 2018-02-27 16:27:12 UTC
As new patches landed to sssd-1-13 branch, I've done a new build including those, thus changing the "Fixed in version" field and moving it back to ON_QA.

Comment 21 Scott Poore 2018-03-14 00:13:06 UTC

Version ::


Results ::

IPA Server with trust setup with RHEL7.5 with ipa advise script run and certs installed in /etc/pki/nssdb and in the kerberos pkinit anchor pool file (via ipa-cacert-manage).

For the smart card testing I used a test CAC card.

No mapping/cert in AD:

# ldapsearch -o ldif-wrap=no -xLLL \
>     -D "$AD_ADMIN" -w Secret123 \
>     -h $AD_SERVER \
>     -b "cn=Users,$AD_BASEDN" \
>     "sAMAccountName=adcacuser1" \
>     altSecurityIdentities userCertificate
dn: CN=adcac user1,CN=Users,DC=ipaadcs12r2,DC=test

Add ID View User Override with certificate:

# ipa idoverrideuser-show 'Default Trust View' adcacuser1
  Anchor to override: adcacuser1
  Certificate: MIIFFT...

CAC Card cert is appropriately matched to the ID View User Override:

# ipa certmap-match cac_card_piv.crt
1 user matched
  Domain: ipaadcs12r2.test
  User logins: adcacuser1
Number of entries returned 1

########### Client is setup as IPA Client and has Smart Card configurations set


Also did the same for /etc/pam.d/gdm.

##### sssd.conf:
# cat /etc/sssd/sssd.conf|grep -v debug_level
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = testrelm.test
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ldap_tls_cacert = /etc/ipa/ca.crt
ipa_hostname = seceng-idm-1.fqdn
chpass_provider = ipa
ipa_server = _srv_, qe-blade-04.fqdn
dns_discovery_domain = testrelm.test
krb5_auth_timeout = 60

services = nss, sudo, pam, ssh, ifp
certificate_verification = no_ocsp
domains = testrelm.test

homedir_substring = /home

pam_cert_auth = True
p11_child_timeout = 60






##### krb5.conf:
# extra pkinit files in place for other potential testing.
# only needed the one for the cert in question really.
# cat /etc/krb5.conf
#File modified by ipa-client-install

includedir /var/lib/sss/pubconf/krb5.include.d/

  default_realm = TESTRELM.TEST
  dns_lookup_realm = false
  dns_lookup_kdc = true
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes
  udp_preference_limit = 0
  pkinit_anchors = FILE:/etc/test_certs/ipaadcs12r2_ca.crt
  pkinit_anchors = FILE:/etc/test_certs/jitc-ca-31.crt
  pkinit_anchors = FILE:/etc/test_certs/jitc-ca-41.crt
  pkinit_anchors = FILE:/etc/test_certs/jitc-email-ca-31.crt
  pkinit_anchors = FILE:/etc/test_certs/jitc-email-ca-41.crt
  pkinit_anchors = FILE:/etc/test_certs/jitc-id-sw-ca-37.crt
  pkinit_anchors = FILE:/etc/test_certs/jitc-root-ca-2.crt
  pkinit_anchors = FILE:/etc/test_certs/jitc-root-ca-3.crt
  pkinit_anchors = FILE:/etc/test_certs/om-ca-32.crt
  pkinit_anchors = FILE:/etc/test_certs/om-email-ca-32.crt

    kdc = qe-blade-04.fqdn:88
    master_kdc = qe-blade-04.fqdn:88
    admin_server = qe-blade-04.fqdn:749
    default_domain = testrelm.test
    pkinit_anchors = FILE:/etc/ipa/ca.crt

    pkinit_kdc_hostname = idm-qe-ipa-win7.ipaadcs12r2.test
    pkinit_eku_checking = none

  .testrelm.test = TESTRELM.TEST
  testrelm.test = TESTRELM.TEST
  .idm.lab.eng.rdu.redhat.com = TESTRELM.TEST
  idm.lab.eng.rdu.redhat.com = TESTRELM.TEST
  .ipaadcs12r2.test = IPAADCS12R2.TEST
  ipaadcs12r2.test = IPAADCS12R2.TEST

########### Testing

# su - adcacuser1 -c "su - adcacuser1 -c whoami"
PIN for <LABEL FROM CARD> for user adcacuser1

# ssh -I /usr/lib64/pkcs11/libcoolkeypk11.so -l adcacuser1 $(hostname) "whoami"
Enter PIN for '<LABEL FROM CARD>': 

# gdm also partially tested but, not testing with a complete Desktop install so some errors occurred after authenticating with the pin.  

Mar 13 18:13:12 seceng-idm-1 pam: gdm-password: pam_sss(gdm-password:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost= user=adcacuser1

Comment 26 errata-xmlrpc 2018-06-19 05:13:47 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.