Learn more about these different git repos.
Other Git URLs
ipa-server 4.5.0-5.el7 and sssd 1.15.2-8.el7 IPA server configured with a user 'democert' which contains a usercertificate delivered by IPA CA.
kinit with the user certificate fails:
$ kinit -X X509_user_identity='FILE:/path/to/cert.pem,/path/to/cert.key' democert kinit: Preauthentication failed while getting initial credentials
Corresponding logs in /var/log/krb5kdc.log:
Apr 06 14:59:55 ipaserver.example.com krb5kdc[4860](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.34.58.20: NEEDED_PREAUTH: democert@EXAMPLE.COM for krbtgt/EXAMPLE.COM@EXAMPLE.COM, Additional pre-authentication required Apr 06 14:59:55 ipaserver.example.com krb5kdc[4860](info): closing down fd 11 Apr 06 14:59:55 ipaserver.example.com krb5kdc[4860](info): Initializing IPA certauth plugin. Apr 06 14:59:55 ipaserver.example.com krb5kdc[4860](info): sss_certmap initialized. Apr 06 14:59:55 ipaserver.example.com krb5kdc[4860](info): Doing certauth authorize for [democert@EXAMPLE.COM] Apr 06 14:59:55 ipaserver.example.com krb5kdc[4860](info): Failed to get certificate content [22]. Apr 06 14:59:55 ipaserver.example.com krb5kdc[4860](info): preauth (pkinit) verify failure: Invalid argument Apr 06 14:59:55 ipaserver.example.com krb5kdc[4860](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.34.58.20: PREAUTH_FAILED: democert@EXAMPLE.COM for krbtgt/EXAMPLE.COM@EXAMPLE.COM, Preauthentication failed Apr 06 14:59:55 ipaserver.example.com krb5kdc[4860](info): closing down fd 11
I suspect the issue happens in sss_certmap_get_search_filter, see following code from ipa_kdb_certauth.c:
krb5_klog_syslog(LOG_INFO, "Doing certauth authorize for [%s]", principal); ret = sss_certmap_get_search_filter(moddata->sss_certmap_ctx, cert, cert_len, &cert_filter, &domains); if (ret != 0) { if (ret == ENOENT) { ret = KRB5KDC_ERR_CERTIFICATE_MISMATCH; } goto done; } krb5_klog_syslog(LOG_INFO, "Got cert filter [%s]", cert_filter);
Turned out to be a krb5 issue, closing.
Metadata Update from @sbose: - Issue close_status updated to: Invalid - Issue status updated to: Closed (was: Open)
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/4394
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.