Issue #3364: pkinit failure with (info): Failed to get certificate content [22]. - sssd

SSSD / sssd

#3364 pkinit failure with (info): Failed to get certificate content [22].

Closed: Invalid 7 years ago Opened 7 years ago by frenaud.

ipa-server 4.5.0-5.el7 and sssd 1.15.2-8.el7
IPA server configured with a user 'democert' which contains a usercertificate delivered by IPA CA.

kinit with the user certificate fails:

$ kinit -X X509_user_identity='FILE:/path/to/cert.pem,/path/to/cert.key' democert
kinit: Preauthentication failed while getting initial credentials

Corresponding logs in /var/log/krb5kdc.log:

Apr 06 14:59:55 ipaserver.example.com krb5kdc[4860](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.34.58.20: NEEDED_PREAUTH: democert@EXAMPLE.COM for krbtgt/EXAMPLE.COM@EXAMPLE.COM, Additional pre-authentication required
Apr 06 14:59:55 ipaserver.example.com krb5kdc[4860](info): closing down fd 11
Apr 06 14:59:55 ipaserver.example.com krb5kdc[4860](info): Initializing IPA certauth plugin.
Apr 06 14:59:55 ipaserver.example.com krb5kdc[4860](info): sss_certmap initialized.
Apr 06 14:59:55 ipaserver.example.com krb5kdc[4860](info): Doing certauth authorize for [democert@EXAMPLE.COM]
Apr 06 14:59:55 ipaserver.example.com krb5kdc[4860](info): Failed to get certificate content [22].
Apr 06 14:59:55 ipaserver.example.com krb5kdc[4860](info): preauth (pkinit) verify failure: Invalid argument
Apr 06 14:59:55 ipaserver.example.com krb5kdc[4860](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.34.58.20: PREAUTH_FAILED: democert@EXAMPLE.COM for krbtgt/EXAMPLE.COM@EXAMPLE.COM, Preauthentication failed
Apr 06 14:59:55 ipaserver.example.com krb5kdc[4860](info): closing down fd 11

I suspect the issue happens in sss_certmap_get_search_filter, see following code from ipa_kdb_certauth.c:

krb5_klog_syslog(LOG_INFO, "Doing certauth authorize for [%s]", principal);

ret = sss_certmap_get_search_filter(moddata->sss_certmap_ctx,
                                    cert, cert_len,
                                    &cert_filter, &domains);
if (ret != 0) {
    if (ret == ENOENT) {
        ret = KRB5KDC_ERR_CERTIFICATE_MISMATCH;
    }
    goto done;
}
krb5_klog_syslog(LOG_INFO, "Got cert filter [%s]", cert_filter);

sbose commented 7 years ago

Turned out to be a krb5 issue, closing.

Metadata Update from @sbose:
- Issue close_status updated to: Invalid
- Issue status updated to: Closed (was: Open)

7 years ago

pbrezina commented 3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4394

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata

Assignee

None

Tags

None

Blocking

None

Depending on

None

Priority

None

Milestone

None

type

None

component

None

version

None

selected

None

testsupdated

None

patch

None

rhbz

None

design_review

None

review

None

changelog

None

keywords

None

coverity

None

mark

None

blocking

None

design

None

sensitive

None

blockedby

None

feature_milestone

None

SSSD / sssd

Source Code

Documentation

#3364 pkinit failure with (info): Failed to get certificate content [22]. Closed: Invalid 7 years ago Opened 7 years ago by frenaud.

Metadata

#3364 pkinit failure with (info): Failed to get certificate content [22].

Closed: Invalid 7 years ago Opened 7 years ago by frenaud.