Red Hat Bugzilla – Bug 1442703
Smart Cards: Certificate in the ID View
Last modified: 2018-06-19 01:15:04 EDT
master: 9c88f837ffacf6548c13825589b327de1a5525f3 1a45124f3f300f9afdcb08eab0938e5e7d0534d9 21513e51a4a2eb08f245333bf8f223713a3d7cb3 2f90ec2e16f0c14c789d9ed20e008e3103337210 8822520e6552bbf5ad1b62a4f88dd31a9c8475f1 ffe2522a208cddd415d7c3498dcc73ffda863b6f cf89f552f06b95bd69d8c61aaa55a330a5d9f6e6 dc936929c01647c0fc116a112cee200156328037 a1210c8db81a1cc0b45eb62a8450abcdea3afc7b cdc3e9dc42e13f01d8e2623e92dd046a5bb169f1 6cb34580ee6e9e2c9190b77b10db8a3c43e3c9c8 6cdeb0923c16e3fafe21aaadca6dac1d71474c31
sssd-1-13: * 9d1397219374531e7f2a3188ea6aa9f86ca35f9e * 81f9af96065eb94ed0a9e6ef2b759761406b4b81 * f13505ce5632822e093982ca3bbf94f327d59a34 * ae124b2a2f93942d87c615703cde10b2fa39c258 * 2b527257a6d80648671a309e003a88b1cf482eae * 35f9936d892fe0bda51ebc1db3c1a47e7d1a495f * 377786542b19ad4227f7447a0995ac5be8bf4a54 * b7f2686bde219ae2ddd9398901a4b3e9cdde2ab1 * 28fbcec499b12d3032590182adf8b09a60f518f1 * e2d9254cf24be128f8593b5629a6ed3ad95bc4e6 * 95b7cee1fb67b4f2da4c5a8345ccfbb0a2de8755 * aec447a206a34909a0becd6098d12b268270a4c3 + there will be patch from https://github.com/SSSD/sssd/pull/488
Additional patches have just landed in upstream sssd-1-13: * 5d2e7c3154ab4b7e2123b3418debf2e5359a0917 * a02baf4dac81278a597b0f5df66a3df3e3d5a2ca * 448cbbfa0284ecd88a9a8f900aa406fcd9d6fb1d
As new patches landed to sssd-1-13 branch, I've done a new build including those, thus changing the "Fixed in version" field and moving it back to ON_QA.
Verified Version :: sssd-1.13.3-60.el6.x86_64 Results :: IPA Server with trust setup with RHEL7.5 with ipa advise script run and certs installed in /etc/pki/nssdb and in the kerberos pkinit anchor pool file (via ipa-cacert-manage). For the smart card testing I used a test CAC card. No mapping/cert in AD: # ldapsearch -o ldif-wrap=no -xLLL \ > -D "$AD_ADMIN" -w Secret123 \ > -h $AD_SERVER \ > -b "cn=Users,$AD_BASEDN" \ > "sAMAccountName=adcacuser1" \ > altSecurityIdentities userCertificate dn: CN=adcac user1,CN=Users,DC=ipaadcs12r2,DC=test Add ID View User Override with certificate: # ipa idoverrideuser-show 'Default Trust View' adcacuser1@ipaadcs12r2.test Anchor to override: adcacuser1@ipaadcs12r2.test Certificate: MIIFFT... CAC Card cert is appropriately matched to the ID View User Override: # ipa certmap-match cac_card_piv.crt -------------- 1 user matched -------------- Domain: ipaadcs12r2.test User logins: adcacuser1 ---------------------------- Number of entries returned 1 ---------------------------- ########### Client is setup as IPA Client and has Smart Card configurations set https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html-single/identity_management_guide/ Also did the same for /etc/pam.d/gdm. ##### sssd.conf: # cat /etc/sssd/sssd.conf|grep -v debug_level [domain/testrelm.test] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = testrelm.test id_provider = ipa auth_provider = ipa access_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt ipa_hostname = seceng-idm-1.fqdn chpass_provider = ipa ipa_server = _srv_, qe-blade-04.fqdn dns_discovery_domain = testrelm.test krb5_auth_timeout = 60 [sssd] services = nss, sudo, pam, ssh, ifp certificate_verification = no_ocsp domains = testrelm.test [nss] homedir_substring = /home [pam] pam_cert_auth = True p11_child_timeout = 60 [sudo] [autofs] [ssh] [pac] [ifp] ##### krb5.conf: # extra pkinit files in place for other potential testing. # only needed the one for the cert in question really. # # cat /etc/krb5.conf #File modified by ipa-client-install includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = TESTRELM.TEST dns_lookup_realm = false dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes udp_preference_limit = 0 pkinit_anchors = FILE:/etc/test_certs/ipaadcs12r2_ca.crt pkinit_anchors = FILE:/etc/test_certs/jitc-ca-31.crt pkinit_anchors = FILE:/etc/test_certs/jitc-ca-41.crt pkinit_anchors = FILE:/etc/test_certs/jitc-email-ca-31.crt pkinit_anchors = FILE:/etc/test_certs/jitc-email-ca-41.crt pkinit_anchors = FILE:/etc/test_certs/jitc-id-sw-ca-37.crt pkinit_anchors = FILE:/etc/test_certs/jitc-root-ca-2.crt pkinit_anchors = FILE:/etc/test_certs/jitc-root-ca-3.crt pkinit_anchors = FILE:/etc/test_certs/om-ca-32.crt pkinit_anchors = FILE:/etc/test_certs/om-email-ca-32.crt [realms] TESTRELM.TEST = { kdc = qe-blade-04.fqdn:88 master_kdc = qe-blade-04.fqdn:88 admin_server = qe-blade-04.fqdn:749 default_domain = testrelm.test pkinit_anchors = FILE:/etc/ipa/ca.crt } IPAADCS12R2.TEST = { pkinit_kdc_hostname = idm-qe-ipa-win7.ipaadcs12r2.test pkinit_eku_checking = none } [domain_realm] .testrelm.test = TESTRELM.TEST testrelm.test = TESTRELM.TEST .idm.lab.eng.rdu.redhat.com = TESTRELM.TEST idm.lab.eng.rdu.redhat.com = TESTRELM.TEST .ipaadcs12r2.test = IPAADCS12R2.TEST ipaadcs12r2.test = IPAADCS12R2.TEST ########### Testing # su - adcacuser1@ipaadcs12r2.test -c "su - adcacuser1@ipaadcs12r2.test -c whoami" PIN for <LABEL FROM CARD> for user adcacuser1@ipaadcs12r2.test adcacuser1@ipaadcs12r2.test # ssh -I /usr/lib64/pkcs11/libcoolkeypk11.so -l adcacuser1@ipaadcs12r2.test $(hostname) "whoami" Enter PIN for '<LABEL FROM CARD>': adcacuser1@ipaadcs12r2.test # gdm also partially tested but, not testing with a complete Desktop install so some errors occurred after authenticating with the pin. Mar 13 18:13:12 seceng-idm-1 pam: gdm-password: pam_sss(gdm-password:auth): authentication success; logname= uid=0 euid=0 tty=127.0.0.1:51 ruser= rhost=127.0.0.1 user=adcacuser1@ipaadcs12r2.test
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:1877