Red Hat Bugzilla – Bug 1507614
Improve Smartcard integration if multiple certificates or multiple mapped identities are available
Last modified: 2018-05-29 04:39:38 EDT
+++ This bug was initially created as a clone of Bug #1413900 +++ Description of problem: Currently GDM Smartcard integration works great if the Smartcard contains only one certificate valid for authentication which is mapped to a single user. But there are valid use cases where either multiple certificates valid for authentication are on the Smartcard or where a single certificate is mapped to multiple users. Please see https://fedorahosted.org/sssd/wiki/DesignDocs/SmartcardsAndMultipleIdentities for details. While it would be possible for SSSD to handle the needed prompting it would imo improve the user experience if GDM can handle some of the prompting in a more appealing way.
This is the ticket for the SSSD part of this feature which can drive the new GDM conversation type. The new location of the original design page is https://docs.pagure.org/SSSD.sssd/design_pages/smartcards_and_multiple_identities.html. Since this pages describes some feature which are already fixed by https://pagure.io/SSSD/sssd/issue/3050 I will add a new page which is focused on Smartcards with multiple certificates.
Upstream ticket: https://pagure.io/SSSD/sssd/issue/3560
master: * 57cefea8305a57c1c0491afb739813b7f17d5a25 * 177ab84f0e336b75289a3ac0b2df25bd5ab5198b * 08d1f8c0d6eece6a48201d7f8824b282eac3458d * fd6f4047b58686bd4057c9859c3c804a77b136d8 * 06c2300353faf3983e38fecb1d6afe1f6cc8fe32 * 0a8024af282b271ad2185f68703d9f4e766d2bdc * 122830e67472390b41edc73f0cfcd5c5705b726b * 0bdd8800c16f39b8fe308d20694ad905c669dff3 * 39fd336e4390ece3a8465714735ef4203f329e54
Verified. Version :: sssd-1.16.0-5.el7.x86_64 Results :: IPA Server and Client setup with RHEL7.5 images. ipa-advise scripts used to setup client and server: ipa-advise config-server-for-smart-card-auth > setup_server.sh ipa-advise config-client-for-smart-card-auth > setup_client.sh # On Server: sh /root/setup_server.sh root_ca.crt issuing_ca.crt scp /root/setup_client.sh root@client:/root # On Client: sh /root/setup_client.sh root_ca.crt issuing_ca.crt vim /etc/sssd/sssd.conf # In [domain/<domainname>] section add: krb5_auth_timeout = 60 # In [sssd] section add: certificate_verification = no_ocsp # We can also specify the ocsp config if needed. Or leave this out if the cert # includes the correct address for the OCSP. # In [pam] section add: p11_child_timeout = 60 systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; sleep 1; systemctl start sssd yum groupinstall "Server with GUI" reboot # On Server setup certmap rules: [root@ipaserver ~]# ipa certmaprule-find -------------------------------------------- 2 Certificate Identity Mapping Rules matched -------------------------------------------- Rule name: jitc_email_ca_41 Mapping rule: (|(userCertificate;binary={cert!bin})(ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>{subject_dn!nss_x500})(altSecurityIdentities=X509:<I>{issuer_dn!ad_x500}<S>{subject_dn!ad_x500})) Matching rule: <ISSUER>CN=DOD JITC EMAIL CA-41,OU=PKI,OU=DoD,O=U.S. Government,C=US Domain name: ipa.test, ad.test Enabled: TRUE Rule name: jitc_id_ca_41 Mapping rule: (|(userCertificate;binary={cert!bin})(ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>{subject_dn!nss_x500})(altSecurityIdentities=X509:<I>{issuer_dn!ad_x500}<S>{subject_dn!ad_x500})) Matching rule: <ISSUER>CN=DOD JITC ID CA-41,OU=PKI,OU=DoD,O=U.S. Government,C=US Domain name: ipa.test, ad.test Enabled: TRUE ---------------------------- Number of entries returned 2 ---------------------------- and add to user data: [root@ipaserver ~]# ipa user-show ipauser1 User login: ipauser1 First name: user Last name: one Home directory: /home/ipauser1 Login shell: /bin/sh Principal name: ipauser1@IPA.TEST Principal alias: ipauser1@IPA.TEST Email address: ipauser1@ipa.test UID: 1315200001 GID: 1315200001 Certificate mapping data: X509:<I>C=US,O=U.S. Government,OU=DoD,OU=PKI,CN=DOD JITC EMAIL CA-41<S>C=US,O=U.S. Government,OU=DoD,OU=PKI,OU=NOAA,CN=blahblah... X509:<I>C=US,O=U.S. Government,OU=DoD,OU=PKI,CN=DOD JITC ID CA-41<S>C=US,O=U.S. Government,OU=DoD,OU=PKI,OU=NOAA,CN=blahblah.... Account disabled: False Password: True Member of groups: ipausers Kerberos keys available: True # Reset sssd and reboot client again to make sure gdm has all updates # share usb card reader to client # insert card # on the cac card I'm using it has 3 certs that should be visible. # All three are visisble with similar output on gdm login screen: [1]: Certificate for Key Management CN=blahblah... [2]: Certificate for Digital Signature CN=blahblah... [3]: Certificate for PIC Authentication CN=blahblah...
Also, more info on verification of this one: [root@ipaclient ~]# su - ipauser1 -c "su - ipauser1 -c klist" Please select a certificate by typing the corresponding number [1]: Certificate for Key Management CN=blahblah... [2]: Certificate for Digital Signature CN=blahblah... [3]: Certificate for PIV Authentication CN=blahblah... 3 <<< This is what I entered <<< Certificate ‘01’ selected PIN for blahblah Ticket cache: KEYRING:persistent:1315200001:krb_ccache_O1YMAQX Default principal: ipauser1@IPA.TEST Valid starting Expires Service principal 11/15/2017 08:09:43 11/16/2017 08:09:36 krbtgt/IPA.TEST@IPA.TEST
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2018:0929