Bug 1442703 - Smart Cards: Certificate in the ID View
Summary: Smart Cards: Certificate in the ID View
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd
Version: 6.9
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: rc
: ---
Assignee: SSSD Maintainers
QA Contact: ipa-qe
Filip Hanzelka
URL:
Whiteboard:
Depends On: 1290378
Blocks: 1461138 1504542
TreeView+ depends on / blocked
 
Reported: 2017-04-17 07:55 UTC by Jakub Hrozek
Modified: 2018-06-19 05:15 UTC (History)
21 users (show)

Fixed In Version: sssd-1.13.3-60.el6
Doc Type: Bug Fix
Doc Text:
AD users can now log into IdM using smart card authentication Previously, it was not possible to add smart card certificates as one of the override attributes for an Active Directory (AD) user in a trust between Identity Management (IdM) and AD. Consequently, an AD user from a trusted domain was unable to log into a host in the IdM domain using a smart card. With this update, the *System Security Services Daemon* (SSSD) can look up certificates in override objects in ID views of AD users. As a result, AD users can now log into IdM-managed machines with a smart card provided the smart card certificate is stored in ID overrides in the IdM domain.
Clone Of: 1290378
Environment:
Last Closed: 2018-06-19 05:13:47 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:1877 None None None 2018-06-19 05:15:04 UTC

Comment 3 Jakub Hrozek 2017-04-19 19:31:39 UTC
master:
    9c88f837ffacf6548c13825589b327de1a5525f3
    1a45124f3f300f9afdcb08eab0938e5e7d0534d9
    21513e51a4a2eb08f245333bf8f223713a3d7cb3
    2f90ec2e16f0c14c789d9ed20e008e3103337210
    8822520e6552bbf5ad1b62a4f88dd31a9c8475f1
    ffe2522a208cddd415d7c3498dcc73ffda863b6f
    cf89f552f06b95bd69d8c61aaa55a330a5d9f6e6
    dc936929c01647c0fc116a112cee200156328037
    a1210c8db81a1cc0b45eb62a8450abcdea3afc7b
    cdc3e9dc42e13f01d8e2623e92dd046a5bb169f1
    6cb34580ee6e9e2c9190b77b10db8a3c43e3c9c8
    6cdeb0923c16e3fafe21aaadca6dac1d71474c31

Comment 15 Lukas Slebodnik 2018-02-21 10:40:59 UTC
sssd-1-13:
* 9d1397219374531e7f2a3188ea6aa9f86ca35f9e
* 81f9af96065eb94ed0a9e6ef2b759761406b4b81
* f13505ce5632822e093982ca3bbf94f327d59a34
* ae124b2a2f93942d87c615703cde10b2fa39c258
* 2b527257a6d80648671a309e003a88b1cf482eae
* 35f9936d892fe0bda51ebc1db3c1a47e7d1a495f
* 377786542b19ad4227f7447a0995ac5be8bf4a54
* b7f2686bde219ae2ddd9398901a4b3e9cdde2ab1
* 28fbcec499b12d3032590182adf8b09a60f518f1
* e2d9254cf24be128f8593b5629a6ed3ad95bc4e6
* 95b7cee1fb67b4f2da4c5a8345ccfbb0a2de8755
* aec447a206a34909a0becd6098d12b268270a4c3

+ there will be patch from https://github.com/SSSD/sssd/pull/488

Comment 18 Lukas Slebodnik 2018-02-27 13:06:40 UTC
Additional patches have just landed in upstream

sssd-1-13:
* 5d2e7c3154ab4b7e2123b3418debf2e5359a0917
* a02baf4dac81278a597b0f5df66a3df3e3d5a2ca
* 448cbbfa0284ecd88a9a8f900aa406fcd9d6fb1d

Comment 19 Fabiano Fidêncio 2018-02-27 16:27:12 UTC
As new patches landed to sssd-1-13 branch, I've done a new build including those, thus changing the "Fixed in version" field and moving it back to ON_QA.

Comment 21 Scott Poore 2018-03-14 00:13:06 UTC
Verified

Version ::

sssd-1.13.3-60.el6.x86_64


Results ::

IPA Server with trust setup with RHEL7.5 with ipa advise script run and certs installed in /etc/pki/nssdb and in the kerberos pkinit anchor pool file (via ipa-cacert-manage).

For the smart card testing I used a test CAC card.

No mapping/cert in AD:

# ldapsearch -o ldif-wrap=no -xLLL \
>     -D "$AD_ADMIN" -w Secret123 \
>     -h $AD_SERVER \
>     -b "cn=Users,$AD_BASEDN" \
>     "sAMAccountName=adcacuser1" \
>     altSecurityIdentities userCertificate
dn: CN=adcac user1,CN=Users,DC=ipaadcs12r2,DC=test

Add ID View User Override with certificate:

# ipa idoverrideuser-show 'Default Trust View' adcacuser1@ipaadcs12r2.test
  Anchor to override: adcacuser1@ipaadcs12r2.test
  Certificate: MIIFFT...

CAC Card cert is appropriately matched to the ID View User Override:

# ipa certmap-match cac_card_piv.crt
--------------
1 user matched
--------------
  Domain: ipaadcs12r2.test
  User logins: adcacuser1
----------------------------
Number of entries returned 1
----------------------------

########### Client is setup as IPA Client and has Smart Card configurations set

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html-single/identity_management_guide/

Also did the same for /etc/pam.d/gdm.


##### sssd.conf:
# cat /etc/sssd/sssd.conf|grep -v debug_level
[domain/testrelm.test]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = testrelm.test
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ldap_tls_cacert = /etc/ipa/ca.crt
ipa_hostname = seceng-idm-1.fqdn
chpass_provider = ipa
ipa_server = _srv_, qe-blade-04.fqdn
dns_discovery_domain = testrelm.test
krb5_auth_timeout = 60

[sssd]
services = nss, sudo, pam, ssh, ifp
certificate_verification = no_ocsp
domains = testrelm.test

[nss]
homedir_substring = /home

[pam]
pam_cert_auth = True
p11_child_timeout = 60


[sudo]

[autofs]

[ssh]

[pac]

[ifp]


##### krb5.conf:
# extra pkinit files in place for other potential testing.
# only needed the one for the cert in question really.
#
# cat /etc/krb5.conf
#File modified by ipa-client-install

includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]
  default_realm = TESTRELM.TEST
  dns_lookup_realm = false
  dns_lookup_kdc = true
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes
  udp_preference_limit = 0
  pkinit_anchors = FILE:/etc/test_certs/ipaadcs12r2_ca.crt
  pkinit_anchors = FILE:/etc/test_certs/jitc-ca-31.crt
  pkinit_anchors = FILE:/etc/test_certs/jitc-ca-41.crt
  pkinit_anchors = FILE:/etc/test_certs/jitc-email-ca-31.crt
  pkinit_anchors = FILE:/etc/test_certs/jitc-email-ca-41.crt
  pkinit_anchors = FILE:/etc/test_certs/jitc-id-sw-ca-37.crt
  pkinit_anchors = FILE:/etc/test_certs/jitc-root-ca-2.crt
  pkinit_anchors = FILE:/etc/test_certs/jitc-root-ca-3.crt
  pkinit_anchors = FILE:/etc/test_certs/om-ca-32.crt
  pkinit_anchors = FILE:/etc/test_certs/om-email-ca-32.crt

[realms]
  TESTRELM.TEST = {
    kdc = qe-blade-04.fqdn:88
    master_kdc = qe-blade-04.fqdn:88
    admin_server = qe-blade-04.fqdn:749
    default_domain = testrelm.test
    pkinit_anchors = FILE:/etc/ipa/ca.crt
  }

  IPAADCS12R2.TEST = {
    pkinit_kdc_hostname = idm-qe-ipa-win7.ipaadcs12r2.test
    pkinit_eku_checking = none
  }


[domain_realm]
  .testrelm.test = TESTRELM.TEST
  testrelm.test = TESTRELM.TEST
  .idm.lab.eng.rdu.redhat.com = TESTRELM.TEST
  idm.lab.eng.rdu.redhat.com = TESTRELM.TEST
  .ipaadcs12r2.test = IPAADCS12R2.TEST
  ipaadcs12r2.test = IPAADCS12R2.TEST




########### Testing

# su - adcacuser1@ipaadcs12r2.test -c "su - adcacuser1@ipaadcs12r2.test -c whoami"
PIN for <LABEL FROM CARD> for user adcacuser1@ipaadcs12r2.test
adcacuser1@ipaadcs12r2.test

# ssh -I /usr/lib64/pkcs11/libcoolkeypk11.so -l adcacuser1@ipaadcs12r2.test $(hostname) "whoami"
Enter PIN for '<LABEL FROM CARD>': 
adcacuser1@ipaadcs12r2.test

# gdm also partially tested but, not testing with a complete Desktop install so some errors occurred after authenticating with the pin.  

Mar 13 18:13:12 seceng-idm-1 pam: gdm-password: pam_sss(gdm-password:auth): authentication success; logname= uid=0 euid=0 tty=127.0.0.1:51 ruser= rhost=127.0.0.1 user=adcacuser1@ipaadcs12r2.test

Comment 26 errata-xmlrpc 2018-06-19 05:13:47 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:1877


Note You need to log in before you can comment on or make changes to this bug.