Am Wed, Jun 28, 2023 at 07:23:58AM +0200 schrieb Francis Augusto Medeiros-Logeay: > > > > On 23 Jun 2023, at 10:52, Sumit Bose via FreeIPA-users > > <[email protected]> wrote: > > > > Am Fri, Jun 23, 2023 at 09:03:55AM +0200 schrieb Francis Augusto > > Medeiros-Logeay via FreeIPA-users: > >> > >> > >>> On 22 Jun 2023, at 14:48, Rob Crittenden via FreeIPA-users > >>> <[email protected]> wrote: > >>> > >>> Francis Augusto Medeiros-Logeay via FreeIPA-users wrote: > >>>> Hi, > >>>> > >>>> We have an application that requires Active Directory. In order to > >>>> provide SSO, the application gets a user certificate from AD and, as I > >>>> understand, uses it towards a RHEL machine as a smart card. I installed > >>>> AD's ca certificates on the RHEL client and it works when sssd.conf is > >>>> all configured towards AD. > >>>> > >>>> I've joined the client to AD, as I said, but I do want my `id_provider` > >>>> in `sssd.conf` to be `ldap` so that it gets my group info from FreeIPA. > >>>> But when I do this, the authentication doesn't work. > >>>> > >>>> Is there a way to either force pam/sssd to check the certificates > >>>> against AD while still getting groups and names from ldap, or to get > >>>> FreeIPA to approve the certificates? > >>>> > >>>> I know this might be a very corner case, but if we make it works, this > >>>> would be beautiful. > >>> > >> > >> Thanks Rob! > >> > >>> IMHO you should cross-post this to the SSSD users list as this seems > >>> more their area, > >>> https://lists.fedorahosted.org/archives/list/[email protected]/ > >> > >> I posted it there first, tbh, but got no reply. > >> > >>> I think expanding on your configuration would help too. Are you using > >>> the IPA certificate mapping to map the AD-issued certificates to an IPA > >>> user for authentication? > >> > >> No. The users are the same on both - same uid, gid, etc, but no > >> connection, trust, or anything. > >> The mapping on sssd.conf is this one: > >> > >> [certmap/mydomain.com/truesso] #Add this section and > >> following lines to set match and map rule for certificate user > >> matchrule = <EKU>msScLogin > >> maprule = > >> (|(userPrincipal={subject_principal})(samAccountName={subject_principal.short_name})) > >> domains = mydomain.com > >> priority = 10 > >> > >> When id_provider = ad, it works, but not when it is `ldap`. But the users, > >> in principle, are the same. Could it be those attributes that are wrong? > > > > Hi, > > > > with 'id_provider = ad' the 'auth_provider' will be 'ad' as well, which > > is basically 'auth_provider = krb5' and Smartcard authentication is done > > the Kerberos way. With 'id_provider = ldap' the 'auth_provider' will be > > 'ldap' as well, so you might have to explicitly add 'auth_provider = > > krb5' > > > > Additionally, the 'maprule' is looking for LDAP attributes, so you IPA > > user must at least have the 'userPrincipal' attribute set with the > > principal which is stored in the subject alternative names of the > > certificate. > > > > Feel free to add 'debug_level = 9' to the [pam] and [domain/...] > > sections of sssd.conf, restart SSSD, try again and send the SSSD logs > > here. > > > > bye, > > Sumit > > > Hi Sumit, > > It fails on RHEL 9, though - before I was doing it on RHEL 9. > > I get this: > > Jun 28 07:21:09 sso-rhel-test krb5_child[3447]: Pre-authentication failed: > Preauthentication failed > Jun 28 07:21:09 sso-rhel-test desktopWorker[2796]: > pam_sss(gdm-password:auth): authentication failure; logname= uid=0 euid=0 > tty= ruser= rhost= user=francis > Jun 28 07:21:09 sso-rhel-test krb5_child[3447]: Pre-authentication failed: > Preauthentication failed > Jun 28 07:21:09 sso-rhel-test desktopWorker[2796]: > pam_sss(gdm-password:auth): received for user francis: 7 (Authentication > failure) > Jun 28 07:21:09 sso-rhel-test desktopWorker[2796]: gkr-pam: unable to locate > daemon control file > Jun 28 07:21:09 sso-rhel-test desktopWorker[2796]: gkr-pam: stashed password > to try later in open ses > > Exact same configuration. Neither password nor certificate works, though > password works on ssh. > > Any tips here?
Hi, this might be related to https://bugzilla.redhat.com/show_bug.cgi?id=2214300 (https://bugzilla.redhat.com/show_bug.cgi?id=2155607 is the corresponding RHEL-9 ticket, but this is mostly private). Does it work any better if you set update-crypto-policies --set LEGACY:AD-SUPPORT-LEGACY bye, Sumit > > Best, > > Francis > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
