Hi, On Wed, Jan 25, 2023 at 10:04 PM r0nam1 via FreeIPA-users < [email protected]> wrote:
> Noted, I'll hit 'reply-all' from now on. > > Looking over those links you sent me, I've decided to: > > - Ran 'ipa user-show $user' and verified the certificate returned > > - Ran 'ipa certmap-match cert.pem' on an extracted certificate that is > also on the SmartCard, it returned my user. > > - Ran 'kinit' and it reacted to my smartcard being present, asking for a > PIN along with my username being displayed, giving the default pin of > '123456' it returned an error I haven't been able to decipher yet: > > '*kinit: KDC policy rejects request while getting initial credentials*' > > I think this is the current blocking point in the authentication process, > any ideas what it fully means? My google-fu has failed me here. > There are a few additional things to check. 1. Was the certificate on your smart card issued by IPA CA or by a different CA? If it was issued by a different CA, this CA must be trusted and this is achieved by running the preparation steps for the server: kinit admin ipa-advise config-server-for-smart-card-auth > config-server-for-smart-card-auth.sh chmod +x config-server-for-smart-card-auth.sh ./config-server-for-smart-card-auth.sh issuingca.pem Do not forget to execute ipa-certupdate on all IPA machines (server, replica, clients). 2. If you don't use mapping rules and matching rules, the default applies and SSSD ensures that the certificate from the smart card contains the Extended Key Usage “clientAuth”. Does you certificate have this EKU? 3. Is the ipa server properly configured for pkinit? What is the output of ipa-pkinit-manage status flo > > On 1/25/23 12:39, Rob Crittenden wrote: > > r0nam1 wrote: > > So far it's a lot of 'I thinks'. I think I've configured OpenSC and > pcscd correctly, I think I've configured SSSD correctly, and I think > I've configured PAM correctly, if you can give me a list of relevant > logs or test commands (Even full directory's of logs) I'll do what I can. > > Please keep responses on the list. > > The log to see depends on the behavior. > > Some additional readings (some are rather old but still relevant): > https://floblanc.wordpress.com/?s=smarthttps://frasertweedale.github.io/blog-redhat/posts/2016-08-12-yubikey-sc-login.html > > rob > > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
