Progress, but still not using the smartcard and falling back to the password.
I changed to change the pam_sss line in common-auth too: auth [default=1 success=ok] pam_localuser.so auth [success=2 default=ignore] pam_unix.so nullok_secure #auth [success=1 default=ignore] pam_sss.so use_first_pass auth sufficient pam_sss.so forward_pass Now p11_child is called, but doesn't validate the certificate. On Fedora the final line in p11_child.log is "Ceritificate verified and validated". On Ubuntu that line is missing. The root certificate is in the certdb. (certutil -d /etc/pki/nssdb -L). Is there a way to do what p11_child does from the command line or with better logging so I can what it doesn't like? I have debug_level = 9 on everything at the moment. Thanks, Steve On Thu, Sep 28, 2017 at 12:43 PM, Sumit Bose <[email protected]> wrote: > On Thu, Sep 28, 2017 at 12:13:38PM -0400, Steve Weeks wrote: > > In all cases on both system pam_unix comes before pam_sss. For example > in > > Fedora system-auth it is: > > On recent Fedora systems you should have > > auth [default=1 success=ok] pam_localuser.so > > before the lines below. This will call pam_unix only for users from > /etc/passwd and skip the line it otherwise (default=1). Maybe something > like this would help on Ubuntu as well? > > bye, > Sumit > > > > > auth [success=done ignore=ignore default=die] pam_unix.so nullok > > try_first_pass > > auth requisite pam_succeed_if.so uid >= 1000 quiet_success > > auth sufficient pam_sss.so forward_pass > > > > and in Ubuntu common-auth it is: > > > > auth [success=2 default=ignore] pam_unix.so nullok_secure > > auth [success=1 default=ignore] pam_sss.so use_first_pass > > > > I tried reversing the lines and get a pam error about user not know (it > is > > an AD user which works fine on fedora). > > > > Also, it looks like pam_pkcs11.so is used in smartcard-auth on Fedora. > > Don't know if this is relevant or not. > > > > Steve > > > > > > On Thu, Sep 28, 2017 at 11:40 AM, Sumit Bose via FreeIPA-users < > > [email protected]> wrote: > > > > > On Thu, Sep 28, 2017 at 11:29:27AM -0400, Steve Weeks via FreeIPA-users > > > wrote: > > > > We have smartcards (PIV) working just fine on Fedora 25 with FreeIPA > > > client > > > > version 4.4.4 (SSSD 1.14.2). However on Ubuntu 16.04, FreeIPA client > > > > 4.3.1, SSSD 1.13.4 the smartcard seems to be ignored. > > > > > > > > The smartcard is readable using pkcs11-tools and pkcs15-tools on both > > > > systems. > > > > > > > > On both systems sssd.conf contains: > > > > [pam] > > > > pam_cert_auth = True > > > > > > > > I've turned the sssd logging up to 9 on both systems and it looks > like > > > > p11_child is never called on the Ubuntu system. On the Ubuntu system > > > > p11_child.log is empty and there is no sign of it being started in > the > > > > sssd_pam.log. > > > > > > > > Any suggestions on what I should look at next? > > > > > > How does your PAM configuration looks like? You have to make sure that > > > pam_sss.so is the first module called for SSSD users. If pam_unix comes > > > first it will ask for a Password and pass it on to pam_sss.so which > will > > > try password authentication in this case. > > > > > > HTH > > > > > > bye, > > > Sumit > > > > > > > > > > > Thanks, > > > > Steve > > > > > > > _______________________________________________ > > > > FreeIPA-users mailing list -- [email protected] > > > > To unsubscribe send an email to freeipa-users-leave@lists. > > > fedorahosted.org > > > _______________________________________________ > > > FreeIPA-users mailing list -- [email protected] > > > To unsubscribe send an email to freeipa-users-leave@lists. > fedorahosted.org > > > >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
