Am Thu, Sep 23, 2021 at 02:12:20PM -0400 schrieb Rob Crittenden via
FreeIPA-users:
> Radoslaw Kujawa via FreeIPA-users wrote:
> > Hi.
> >
> > On 9/23/21 15:06, Sumit Bose via FreeIPA-users wrote:
> >> Am Thu, Sep 23, 2021 at 12:33:25PM +0200 schrieb Radoslaw Kujawa via
> >> FreeIPA-users:
> >>
> >> the keys are only derived form the certificate is the certificate can be
> >> validated. Have you copied all needed CA certificates to the new machine
> >> and made SSSD aware of it?
> >>
> >
> > Indeed, it was a problem with validation. I've originally created a
> > symlink from /etc/sssd/pki/sssd_auth_ca_db.pem to /etc/ipa/ca.crt .
> > However, this resulted in SELinux denial:
> >
> > ----
> > time->Thu Sep 23 15:35:28 2021
> > type=AVC msg=audit(1632411328.296:280110): avc: denied { read } for
> > pid=1555510 comm="p11_child" name="sssd_auth_ca_db.pem" dev="nvme0n1p2"
> > ino=421 scontext=system_u:system_r:sssd_t:s0
> > tcontext=unconfined_u:object_r:sssd_conf_t:s0 tclass=lnk_file permissive=0
Hi,
it looks like SELinux does not link that a link is used here. Have you
tried if adding
pam_cert_db_path = /etc/ipa/ca.crt
to the [pam] section of sssd.conf (or as snippet in /etc/sssd/conf.d/)
works?
About using /etc/ipa/ca.crt. This file only contains the IPA CA
certificate, so it can only verify certificates issues by IPA. It might
be better to use /var/lib/ipa-client/pki/ca-bundle.pem which contains
all the CA certificates trusted by the IPA servers, see man
ipa-cacert-manage for details.
> >
> > After copying the certificate, instead of symlinking it,
> > sss_ssh_authorizedkeys works correctly and reports public keys from
> > certificates too.
> >
> > While here, I have a suggestion. Could ipa-client-install also add the
> > CA certificate to sssd's PKI directory?
>
> Feel free to open an RFE at https://pagure.io/freeipa/new_issue
Currently the 'ipa-advise config-client-for-smart-card-auth' script adds
CA certificates to /etc/sssd/pki/sssd_auth_ca_db.pem.
HTH
bye,
Sumit
>
> rob
>
> >
> > Currently to make this useful functionality work, manual intervention is
> > necessary after running ipa-client-install (just having the cert in
> > /etc/ipa/ca.crt is not enough for p11_child to perform validation).
> >
> > Best regards,
> > Radoslaw
> > _______________________________________________
> > FreeIPA-users mailing list -- [email protected]
> > To unsubscribe send an email to [email protected]
> > Fedora Code of Conduct:
> > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> > https://lists.fedorahosted.org/archives/list/[email protected]
> >
> > Do not reply to spam on the list, report it:
> > https://pagure.io/fedora-infrastructure
> _______________________________________________
> FreeIPA-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
