On Thu, Oct 05, 2017 at 02:55:19PM -0400, Steve Weeks wrote: > No. The user is just in a group that is mapped between AD and IPA. Pretty > vanilla, just like the examples.
But this is not related to Smartcard authentication. Can you send me the fully sssd_your.domain.log files from Fedora and Ubuntu with debug_level=10 in the [domain/...] section of sssd.conf? Feel free to send them to me directly if you do not want to share them on the list. bye, Sumit > > Steve > > > On Thu, Oct 5, 2017 at 2:47 PM, Sumit Bose <[email protected]> wrote: > > > On Thu, Oct 05, 2017 at 02:14:57PM -0400, Steve Weeks wrote: > > > The problem is definitely in sss_pam. From the logs, it sounds like it > > > can't get the certificate from the server. > > > > > > p11_child works the same on both Fedora 25 and Ubuntu 16.04 in both > > > pre-auth and auth mode. To run in auth mode, change the command line to: > > > > > > echo PIN | /usr/libexec/sssd/p11_child -d 10 --debug-fd=1 > > > --nssdb=/etc/pki/nssdb --auth --pin > > > > > > Running from the command line, both Fedora and Ubuntu return the same > > > results in either mode. > > > > > > On Ubuntu running a real login, auth mode is never called. The > > > sssd_pam.log files are different. I've attached the full logs, but this > > is > > > what seems to be the problem. > > > > > > Fedora, which works fine: > > > > > > [sss_dp_issue_request] (0x0400): Issuing request for > > > [0x55e4aeaaa710:8:MIIHdjCCBV6gAwIBAgIT.. > > > [sss_dp_get_account_msg] (0x0400): Creating request for [ipa.example.com > > ][ > > > *0x14][BE_REQ_BY_CERT*][1][cert=MIIHdjCCBV... > > > [sss_dp_internal_get_send] (0x0400): Entering request > > > [0x55e4aeaaa710:8:MIIHdjCCBV6gA....... > > > [cache_req_cache_search] (0x0040): Cache Request [User by certificate > > #0]: > > > Cannot find info for [CERT:S/[email protected]] > > > [child_sig_handler] (0x1000): Waiting for child [5701]. > > > [child_sig_handler] (0x0100): child [5701] finished successfully. > > > [sbus_remove_timeout] (0x2000): 0x55e4afa97210 > > > [sbus_dispatch] (0x4000): dbus conn: 0x55e4afa9e7d0 > > > [sbus_dispatch] (0x4000): Dispatching. > > > [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error > > code: > > > 0 errno: 0 error message: Success > > > > > > The same sequence in Ubuntu has a different call parameter and seems to > > > fail: > > > > > > [sss_dp_issue_request] (0x0400): Issuing request for > > > [0x410090:8:MIIHdjCCBV6... > > > [sss_dp_get_account_msg] (0x0400): Creating request for > > > [ipa.example.com][*0x1014][FAST > > > BE_REQ_BY_CERT*][1][cert=MIIHdjCCBV6gAw... > > > [sbus_add_timeout] (0x2000): 0xc46200 > > > [sss_dp_internal_get_send] (0x0400): Entering request > > > [0x410090:8:MIIHdjCCBV6g..... > > > [child_sig_handler] (0x1000): Waiting for child [9758]. > > > [child_sig_handler] (0x0100): child [9758] finished successfully. > > > [sbus_remove_timeout] (0x2000): 0xc46200 > > > [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: 0xc1a220 > > > [sbus_dispatch] (0x4000): Dispatching. > > > [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error > > code: > > > 3 errno: 0 error message: Account info lookup failed > > > > > > Fedora is running sssd 1.14.2 and Ubuntu is running 1.13.4. The user is > > > from an AD trust. Both systems are attached to the same IPA server. > > > > How did you map the certificate to the AD users? Did you create an > > idoverride for the AD user and add the certificate to the override? > > Unfortunately this is only supported since sssd-1.14. > > > > bye, > > Sumit > > > > > > > > Is there some configuration change that will make the Ubuntu system > > behave > > > like the Fedora system? I'd really like to use the standard Ubuntu > > > distribution. > > > > > > Thanks, > > > Steve > > > > > > > > > On Fri, Sep 29, 2017 at 11:17 AM, Steve Weeks <[email protected]> > > wrote: > > > > > > > That works, but it is only pre-auth mode. In --auth mode it fails, > > but I > > > > don't think that relevant since fails the same way on Fedora too. > > > > > > > > The problems seems to be that on Ubuntu, --auth mode is never called. > > On > > > > Fedora p11_child is called twice. Once with --pre and then a second > > time > > > > with --auth. In the log you see: > > > > > > > > $ egrep 'main|verified' p11_child.log > > > > (Thu Sep 28 14:23:19 2017) [[sssd[p11_child[15375]]]] [main] (0x0400): > > > > p11_child started. > > > > (Thu Sep 28 14:23:19 2017) [[sssd[p11_child[15375]]]] [main] (0x2000): > > > > Running in [pre-auth] mode. > > > > (Thu Sep 28 14:23:19 2017) [[sssd[p11_child[15375]]]] [main] (0x2000): > > > > Running with effective IDs: [0][0]. > > > > (Thu Sep 28 14:23:19 2017) [[sssd[p11_child[15375]]]] [main] (0x2000): > > > > Running with real IDs [0][0]. > > > > (Thu Sep 28 14:23:22 2017) [[sssd[p11_child[15378]]]] [main] (0x0400): > > > > p11_child started. > > > > (Thu Sep 28 14:23:22 2017) [[sssd[p11_child[15378]]]] [main] (0x2000): > > > > Running in [auth] mode. > > > > (Thu Sep 28 14:23:22 2017) [[sssd[p11_child[15378]]]] [main] (0x2000): > > > > Running with effective IDs: [0][0]. > > > > (Thu Sep 28 14:23:22 2017) [[sssd[p11_child[15378]]]] [main] (0x2000): > > > > Running with real IDs [0][0]. > > > > (Thu Sep 28 14:23:23 2017) [[sssd[p11_child[15378]]]] [do_work] > > (0x4000): > > > > Certificate verified and validated. > > > > > > > > I've trimmed the log to what (I think) was interesting. I can send > > > > everything if you need it. > > > > > > > > For Ubuntu, the log stops after the first invocation of p11_child and > > you > > > > never see the [auth] mode call. Otherwise the logs are the same. > > > > > > > > Steve > > > > > > > > > > > > On Fri, Sep 29, 2017 at 3:17 AM, Sumit Bose <[email protected]> wrote: > > > > > > > >> On Thu, Sep 28, 2017 at 02:35:55PM -0400, Steve Weeks wrote: > > > >> > Progress, but still not using the smartcard and falling back to the > > > >> > password. > > > >> > > > > >> > I changed to change the pam_sss line in common-auth too: > > > >> > > > > >> > auth [default=1 success=ok] pam_localuser.so > > > >> > auth [success=2 default=ignore] pam_unix.so nullok_secure > > > >> > #auth [success=1 default=ignore] pam_sss.so use_first_pass > > > >> > auth sufficient pam_sss.so forward_pass > > > >> > > > > >> > Now p11_child is called, but doesn't validate the certificate. On > > > >> Fedora > > > >> > the final line in p11_child.log is "Ceritificate verified and > > > >> validated". > > > >> > On Ubuntu that line is missing. > > > >> > > > > >> > The root certificate is in the certdb. (certutil -d /etc/pki/nssdb > > -L). > > > >> > > > > >> > Is there a way to do what p11_child does from the command line or > > with > > > >> > better logging so I can what it doesn't like? I have debug_level = > > 9 on > > > >> > everything at the moment. > > > >> > > > >> /usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --pre > > > >> --nssdb=/etc/pki/nssdb > > > >> > > > >> should do the trick. > > > >> > > > >> HTH > > > >> > > > >> bye, > > > >> Sumit > > > >> > > > >> > > > > >> > Thanks, > > > >> > Steve > > > >> > > > > >> > > > > >> > On Thu, Sep 28, 2017 at 12:43 PM, Sumit Bose <[email protected]> > > wrote: > > > >> > > > > >> > > On Thu, Sep 28, 2017 at 12:13:38PM -0400, Steve Weeks wrote: > > > >> > > > In all cases on both system pam_unix comes before pam_sss. For > > > >> example > > > >> > > in > > > >> > > > Fedora system-auth it is: > > > >> > > > > > >> > > On recent Fedora systems you should have > > > >> > > > > > >> > > auth [default=1 success=ok] pam_localuser.so > > > >> > > > > > >> > > before the lines below. This will call pam_unix only for users > > from > > > >> > > /etc/passwd and skip the line it otherwise (default=1). Maybe > > > >> something > > > >> > > like this would help on Ubuntu as well? > > > >> > > > > > >> > > bye, > > > >> > > Sumit > > > >> > > > > > >> > > > > > > >> > > > auth [success=done ignore=ignore default=die] pam_unix.so > > > >> nullok > > > >> > > > try_first_pass > > > >> > > > auth requisite pam_succeed_if.so uid >= 1000 > > > >> quiet_success > > > >> > > > auth sufficient pam_sss.so forward_pass > > > >> > > > > > > >> > > > and in Ubuntu common-auth it is: > > > >> > > > > > > >> > > > auth [success=2 default=ignore] pam_unix.so nullok_secure > > > >> > > > auth [success=1 default=ignore] pam_sss.so use_first_pass > > > >> > > > > > > >> > > > I tried reversing the lines and get a pam error about user not > > know > > > >> (it > > > >> > > is > > > >> > > > an AD user which works fine on fedora). > > > >> > > > > > > >> > > > Also, it looks like pam_pkcs11.so is used in smartcard-auth on > > > >> Fedora. > > > >> > > > Don't know if this is relevant or not. > > > >> > > > > > > >> > > > Steve > > > >> > > > > > > >> > > > > > > >> > > > On Thu, Sep 28, 2017 at 11:40 AM, Sumit Bose via FreeIPA-users < > > > >> > > > [email protected]> wrote: > > > >> > > > > > > >> > > > > On Thu, Sep 28, 2017 at 11:29:27AM -0400, Steve Weeks via > > > >> FreeIPA-users > > > >> > > > > wrote: > > > >> > > > > > We have smartcards (PIV) working just fine on Fedora 25 with > > > >> FreeIPA > > > >> > > > > client > > > >> > > > > > version 4.4.4 (SSSD 1.14.2). However on Ubuntu 16.04, > > FreeIPA > > > >> client > > > >> > > > > > 4.3.1, SSSD 1.13.4 the smartcard seems to be ignored. > > > >> > > > > > > > > >> > > > > > The smartcard is readable using pkcs11-tools and > > pkcs15-tools > > > >> on both > > > >> > > > > > systems. > > > >> > > > > > > > > >> > > > > > On both systems sssd.conf contains: > > > >> > > > > > [pam] > > > >> > > > > > pam_cert_auth = True > > > >> > > > > > > > > >> > > > > > I've turned the sssd logging up to 9 on both systems and it > > > >> looks > > > >> > > like > > > >> > > > > > p11_child is never called on the Ubuntu system. On the > > Ubuntu > > > >> system > > > >> > > > > > p11_child.log is empty and there is no sign of it being > > started > > > >> in > > > >> > > the > > > >> > > > > > sssd_pam.log. > > > >> > > > > > > > > >> > > > > > Any suggestions on what I should look at next? > > > >> > > > > > > > >> > > > > How does your PAM configuration looks like? You have to make > > sure > > > >> that > > > >> > > > > pam_sss.so is the first module called for SSSD users. If > > pam_unix > > > >> comes > > > >> > > > > first it will ask for a Password and pass it on to pam_sss.so > > > >> which > > > >> > > will > > > >> > > > > try password authentication in this case. > > > >> > > > > > > > >> > > > > HTH > > > >> > > > > > > > >> > > > > bye, > > > >> > > > > Sumit > > > >> > > > > > > > >> > > > > > > > > >> > > > > > Thanks, > > > >> > > > > > Steve > > > >> > > > > > > > >> > > > > > _______________________________________________ > > > >> > > > > > FreeIPA-users mailing list -- [email protected] > > > >> ed.org > > > >> > > > > > To unsubscribe send an email to freeipa-users-leave@lists. > > > >> > > > > fedorahosted.org > > > >> > > > > _______________________________________________ > > > >> > > > > FreeIPA-users mailing list -- [email protected] > > > >> ed.org > > > >> > > > > To unsubscribe send an email to freeipa-users-leave@lists. > > > >> > > fedorahosted.org > > > >> > > > > > > > >> > > > > > >> > > > > > > > > > > > > > > > > > > > > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
