Learn more about these different git repos.
Other Git URLs
EL7.4 sssd-1.15.2-50.el7_4.8.x86_64 ipa-client-4.5.0-22.sl7_4.x86_64
Users are in active directory with IPA<->AD trust. Yubikey smartcard certificate was issue by AD. Followed instructions to configure mapping and ipa certmap-match <smartcardcert> returns the proper user.
It appears that the wrong pin may be passed to the smartcard as it will get locked with multiple attempts.
sssd.conf:
[domain/nwra.com] cache_credentials = True krb5_auth_timeout = 30 krb5_store_password_if_offline = True krb5_realm = NWRA.COM ipa_domain = nwra.com id_provider = ipa auth_provider = ipa access_provider = ipa chpass_provider = ipa ipa_server = <ipaserver>, _srv_ ldap_tls_cacert = /etc/ipa/ca.crt dns_discovery_domain = nwra.com ipa_automount_location = boulder timeout = 20 debug_level = 5 [sssd] services = nss, sudo, pam, ssh, autofs domains = nwra.com full_name_format = %1$s default_domain_suffix = ad.nwra.com debug_level = 5 [nss] filter_users = root,apache,dovecot,mailman,postfix filter_groups = root,apache,dovecot,mailman,postfix filter_users_in_groups = false default_shell = /bin/bash debug_level = 5 override_homedir = /export/home/%u timeout = 20 [pam] debug_level = 8 pam_cert_auth = True [sudo] [autofs] [ssh] [pac] [ifp] [secrets]
Probably most relevant sssd_pam.log message:
(Thu Jan 11 15:30:36 2018) [sssd[pam]] [pam_dom_forwarder] (0x0400): User and certificate user do not match, continue with other authentication methods.
Also from sssd_nwra.com.log:
(Thu Jan 11 15:30:33 2018) [sssd[be[nwra.com]]] [dp_pam_handler] (0x0100): Got request with the following data (Thu Jan 11 15:30:33 2018) [sssd[be[nwra.com]]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE (Thu Jan 11 15:30:33 2018) [sssd[be[nwra.com]]] [pam_print_data] (0x0100): domain: ad.nwra.com (Thu Jan 11 15:30:33 2018) [sssd[be[nwra.com]]] [pam_print_data] (0x0100): user: USER@ad.nwra.com (Thu Jan 11 15:30:33 2018) [sssd[be[nwra.com]]] [pam_print_data] (0x0100): service: gdm-smartcard (Thu Jan 11 15:30:33 2018) [sssd[be[nwra.com]]] [pam_print_data] (0x0100): tty: /dev/tty1 (Thu Jan 11 15:30:33 2018) [sssd[be[nwra.com]]] [pam_print_data] (0x0100): ruser: (Thu Jan 11 15:30:33 2018) [sssd[be[nwra.com]]] [pam_print_data] (0x0100): rhost: (Thu Jan 11 15:30:33 2018) [sssd[be[nwra.com]]] [pam_print_data] (0x0100): authtok type: 4 (Thu Jan 11 15:30:33 2018) [sssd[be[nwra.com]]] [pam_print_data] (0x0100): newauthtok type: 0 (Thu Jan 11 15:30:33 2018) [sssd[be[nwra.com]]] [pam_print_data] (0x0100): priv: 1 (Thu Jan 11 15:30:33 2018) [sssd[be[nwra.com]]] [pam_print_data] (0x0100): cli_pid: 3125 (Thu Jan 11 15:30:33 2018) [sssd[be[nwra.com]]] [pam_print_data] (0x0100): logon name: not set (Thu Jan 11 15:30:34 2018) [sssd[be[nwra.com]]] [child_sig_handler] (0x0100): child [3338] finished successfully. (Thu Jan 11 15:30:36 2018) [sssd[be[nwra.com]]] [dp_get_account_info_handler] (0x0200): Got request for [0x14][BE_REQ_BY_CERT][cert=MIIHJjCCBQ6gAwIBAgITdgAAAKY68SMhkEWcOQAAAAAApjANBgkqhkiG9w0BAQ0FADBcMRMwEQYKCZImiZPyLGQBGRYDY29tMRQwEgYKCZImiZPyLGQBGRYEbndyYTESMBAGCgmSJomT8ixkARkWAmFkMRswGQYDVQQDExJhZC1BRC1TRUFUVExFMDEtQ0EwHhcNMTgwMTExMTgzMDM0WhcNMTkwMTExMTgzMDM0WjCBgTETMBEGCgmSJomT8ixkARkWA2NvbTEUMBIGCgmSJomT8ixkARkWBG53cmExEjAQBgoJkiaJk/IsZAEZFgJhZDENMAsGA1UECxMETldSQTEXMBUGA1UECxMOQWRtaW4tQWNjb3VudHMxGDAWBgNVBAMTD09yaW9uIFBvcGxhd3NraTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKCp+gqYQDrrTZHhJ6ceJQuP+wYgH6H9yPPNj5Re0RKLdsbXUrB7hvzv0+2HIUEmuJ2+Nxn8KXz8N27VP2jNR6tKaeDmEwBWVCAQjAIkIF11z59jLNw7ZZ8ACs+DJ4jGzRPxWPOUKSfIrXyoXCg9PNO7vz5AN8NUnercEuOUQPqkxtnRlK8q6F5aK8wAjxYq34tlr91VQyKDt6kJXLrqHMAygAOEfj5QENYmuSx1LOuH+wiyH1Dc8OxzHW8bsk4cs3oR52MvKgMKs0hg/wVuMovXg4518T3qfnqT2AwJ9eoZARhpG2SKK9JSmr9haq8TRBbptkgQWAy4ZPuMMC9c/msCAwEAAaOCArkwggK1MB0GA1UdDgQWBBRiqCojAMNegiyqOp+WfQfsW39n8TAfBgNVHSMEGDAWgBR80kxpkDyTnbTOQ8W+/kd+XgwNOTCB2AYDVR0fBIHQMIHNMIHKoIHHoIHEhoHBbGRhcDovLy9DTj1hZC1BRC1TRUFUVExFMDEtQ0EsQ049QUQtU0VBVFRMRTAxLENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPWFkLERDPW53cmEsREM9Y29tP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCBxwYIKwYBBQUHAQEEgbowgbcwgbQGCCsGAQUFBzAChoGnbGRhcDovLy9DTj1hZC1BRC1TRUFUVExFMDEtQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9YWQsREM9bndyYSxEQz1jb20/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRob3JpdHkwPgYJKwYBBAGCNxUHBDEwLwYnKwYBBAGCNxUIg+SaI4OlokOBjZ0QgZ7gGoGqhgaBMoSXzT6F++VJAgFkAgEDMB8GA1UdJQQYMBYGCisGAQQBgjcUAgIGCCsGAQUFBwMCMA4GA1UdDwEB/wQEAwIHgDApBgkrBgEEAYI3FQoEHDAaMAwGCisGAQQBgjcUAgIwCgYIKwYBBQUHAwIwMgYDVR0RBCswKaAnBgorBgEEAYI3FAIDoBkMF29yaW9uLWFkbWluQGFkLm53cmEuY29tMA0GCSqGSIb3DQEBDQUAA4ICAQAq4JSDcTWx2uDkEI3/CRK6YxyGHc6SsV2+ppYJOQHRX8E3JfrjJ+Mq2kxTF9vqBn85I6xwF0ZZbEH35C0Qe/qaDXfFvvG9biofXcLBGlf+MjqA1+pSuqB+s4uoCP6Hsq9N7goRAv8lI/LDZSHvi66zwTbcL+O73TBTMNw2FA2MFQ3P39I/x5nm0dqF9nxm1DhUF4zI8hTxGoMlB9QtCcFZrm3meOHYsp1UbsA8lC2MX/oB0iajpztf9v4aqg8neXi/ZPfkmom+UXQgA/SONzEhxwELHPhKM0IqGD9d614Hh4rtpX7dmx/zXYqR7WyqjLWDehX+2xyTNJ0SvkxQTULodKVB+tDUInphMTJiae2t3V240LpA0oVUZxSWTzwQNomemI1C+uk7URSXF06wsk3eQbyTaY8RULrB/3ED91QkC/IZEuI4HC1GEmUJFeASLfWp1mEG6g2O/2u+F3wZhF2eW4PxgqVzCdzIn7x46E7h2d9Qgs6jEmVsKvN2fCcke0ozPudLnx7nWftmCgfS9hIWOOa5ImRZ4Lxgq/3gEiZv/R/ZyRhfYhCZBHl91ScykhlSvPQK9VG+7rpnIgs1uuhqc0VmP6O/REM2TKiPlXl53Y/GYLE2tFLlactn27Iz5vPqYLT25FX+RxDGp1GR1Mu5mxIbk4iztGk98KjYh3MwtA==] (Thu Jan 11 15:30:36 2018) [sssd[be[nwra.com]]] [users_get_send] (0x0040): sss_cert_derb64_to_ldap_filter failed. (Thu Jan 11 15:30:36 2018) [sssd[be[nwra.com]]] [ipa_id_get_account_info_orig_done] (0x0040): Failed to make request to our cache: [2]: [No such file or directory] (Thu Jan 11 15:30:36 2018) [sssd[be[nwra.com]]] [dp_reply_std_set] (0x0080): DP Error is OK on failed request?
Possibly more related issues:
Jan 11 16:02:39 kernel: usb 1-2: new full-speed USB device number 8 using xhci_hcd Jan 11 16:02:39 kernel: usb 1-2: New USB device found, idVendor=1050, idProduct=0407 Jan 11 16:02:39 kernel: usb 1-2: New USB device strings: Mfr=1, Product=2, SerialNumber=0 Jan 11 16:02:39 kernel: usb 1-2: Product: Yubikey 4 OTP+U2F+CCID Jan 11 16:02:39 kernel: usb 1-2: Manufacturer: Yubico Jan 11 16:02:39 kernel: input: Yubico Yubikey 4 OTP+U2F+CCID as /devices/pci0000:00/0000:00:14.0/usb1/1-2/1-2:1.0/input/input19 Jan 11 16:02:39 kernel: hid-generic 0003:1050:0407.0008: input,hidraw0: USB HID v1.10 Keyboard [Yubico Yubikey 4 OTP+U2F+CCID] on usb-0000:00:14.0-2/input0 Jan 11 16:02:39 kernel: hid-generic 0003:1050:0407.0009: hiddev0,hidraw1: USB HID v1.10 Device [Yubico Yubikey 4 OTP+U2F+CCID] on usb-0000:00:14.0-2/input1 Jan 11 16:02:39 mtp-probe[4529]: checking bus 1, device 8: "/sys/devices/pci0000:00/0000:00:14.0/usb1/1-2" Jan 11 16:02:39 mtp-probe[4529]: bus: 1, device: 8 was not an MTP device Jan 11 16:02:39 pcscd[1526]: 07357107 ifdhandler.c:117:CreateChannelByNameOrChannel() failed Jan 11 16:02:39 pcscd[1526]: 00000014 readerfactory.c:1009:RFInitializeReader() Open Port 0x200000 Failed (usb:1050/0407:libudev:0:/dev/bus/usb/001/008) Jan 11 16:02:39 pcscd[1526]: 00000003 readerfactory.c:312:RFAddReader() Yubico Yubikey 4 OTP+U2F+CCID init failed. Jan 11 16:02:39 pcscd[1526]: 00003584 ccid_usb.c:1087:ControlUSB() control failed (1/8): -9 Resource temporarily unavailable Jan 11 16:02:39 pcscd[1526]: 00011156 ifdhandler.c:117:CreateChannelByNameOrChannel() failed Jan 11 16:02:39 pcscd[1526]: 00000011 readerfactory.c:1009:RFInitializeReader() Open Port 0x200002 Failed (usb:1050/0407:libudev:1:/dev/bus/usb/001/008) Jan 11 16:02:39 pcscd[1526]: 00000003 readerfactory.c:312:RFAddReader() Yubico Yubikey 4 OTP+U2F+CCID init failed. Jan 11 16:03:04 kernel: xhci_hcd 0000:00:14.0: WARN Event TRB for slot 7 ep 4 with no TDs queued? Jan 11 16:03:05 kernel: xhci_hcd 0000:00:14.0: WARN Event TRB for slot 7 ep 4 with no TDs queued? Jan 11 16:03:05 [sssd[krb5_child[4557]]][4557]: Pre-authentication failed: Failed to verify own certificate (depth 0): unable to get local issuer certificate: could not load the shared library Jan 11 16:03:05 gdm-smartcard][3343]: pam_sss(gdm-smartcard:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=USER@ad.nwra.com Jan 11 16:03:05 gdm-smartcard][3343]: pam_sss(gdm-smartcard:auth): received for user USER@ad.nwra.com: 17 (Failure setting user credentials) Jan 11 16:03:07 kernel: xhci_hcd 0000:00:14.0: WARN Event TRB for slot 7 ep 4 with no TDs queued?
16:03:05 [sssd[krb5_child[4557]]][4557]: Pre-authentication failed: Failed to verify own certificate (depth 0): unable to get local issuer certificate: could not load the shared library
indicates that some CA certificates are missing in /etc/krb5.conf. Please try to add them PEM files of the needed CA certificates with pkinit_anchors to /etc/krb5.conf. When using trusted domains you might need to add them to the realm sections of the trusted domains or to the [libdefaults] section as well.
If possible please send full logs so that we have more context to related the processing in the different components of SSSD.
Perhaps this a better set of logs. Covers a login attempt.
<img alt="sssd.tar.gz" src="/SSSD/sssd/issue/raw/files/a926a2aa4c971277751fde3f6f276fe7095b1c51a99d60815104e18ac8406083-sssd.tar.gz" />
I've added:
[realms] AD.NWRA.COM = { pkinit_anchors = FILE:/etc/pki/ca-trust/source/anchors/ad.nwra.com.crt } [domain_realm] .ad.nwra.com = AD.NWRA.COM ad.nwra.com = AD.NWRA.COM
And I don't see the verify cert error anymore, but I still see:
[sssd[krb5_child[9320]]][9320]: Pre-authentication failed: Preauthentication failed
The krb5_child.log file in the tar ball looks broken.
Besides pkinit_anchors you typically need to set
pkinit_eku_checking = none pkinit_kdc_hostname = your.ad.ad.fqdn
for AD because the KDC certificate typically does not have all data that the MIT Kerberos pkinit plugin expects. If there are multiple DC in your AD domain you can give pkinit_kdc_hostname multiple times.
Thanks, but that doesn't appear to have done the trick. I upped the debug level and in krb5_child.log I'm seeing:
(Tue Jan 16 09:59:56 2018) [[sssd[krb5_child[12379]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [AD.NWRA.COM] (Tue Jan 16 09:59:56 2018) [[sssd[krb5_child[12379]]]] [sss_child_krb5_trace_cb] (0x4000): [12379] 1516121996.488563: Getting initial credentials for USER@AD.NWRA.COM (Tue Jan 16 09:59:56 2018) [[sssd[krb5_child[12379]]]] [sss_child_krb5_trace_cb] (0x4000): [12379] 1516121996.488976: FAST armor ccache: MEMORY:/var/lib/sss/db/fast_ccache_NWRA.COM (Tue Jan 16 09:59:56 2018) [[sssd[krb5_child[12379]]]] [sss_child_krb5_trace_cb] (0x4000): [12379] 1516121996.489322: Retrieving host/hplinlap.cora.nwra.com@NWRA.COM -> krb5_ccache_conf_data/fast_avail/krbtgt\/AD.NWRA.COM\@AD.NWRA.COM@X-CACHECONF: from MEMORY:/var/lib/sss/db/fast_ccache_NWRA.COM with result: -1765328243/Matching credential not found (Tue Jan 16 09:59:56 2018) [[sssd[krb5_child[12379]]]] [sss_child_krb5_trace_cb] (0x4000): [12379] 1516121996.490000: Sending request (196 bytes) to AD.NWRA.COM ... (Tue Jan 16 09:59:56 2018) [[sssd[krb5_child[12379]]]] [sss_child_krb5_trace_cb] (0x4000): [12379] 1516121996.523514: Response was not from master KDC (Tue Jan 16 09:59:56 2018) [[sssd[krb5_child[12379]]]] [sss_child_krb5_trace_cb] (0x4000): [12379] 1516121996.523825: Received error from KDC: -1765328359/Additional pre-authentication required (Tue Jan 16 09:59:56 2018) [[sssd[krb5_child[12379]]]] [sss_child_krb5_trace_cb] (0x4000): [12379] 1516121996.524461: Processing preauth types: 16, 15, 19, 2 ... (Tue Jan 16 09:59:56 2018) [[sssd[krb5_child[12379]]]] [sss_child_krb5_trace_cb] (0x4000): [12379] 1516121996.892783: PKINIT client computed kdc-req-body checksum 9/663C6A7E40A95B3ACE8F70159CBF024338560C98 (Tue Jan 16 09:59:56 2018) [[sssd[krb5_child[12379]]]] [sss_child_krb5_trace_cb] (0x4000): [12379] 1516121996.893047: PKINIT client making DH request (Tue Jan 16 09:59:56 2018) [[sssd[krb5_child[12379]]]] [sss_child_krb5_trace_cb] (0x4000): [12379] 1516121996.991356: Preauth module pkinit (16) (real) returned: -1765328360/Preauthentication failed (Tue Jan 16 09:59:56 2018) [[sssd[krb5_child[12379]]]] [sss_child_krb5_trace_cb] (0x4000): [12379] 1516121996.991698: PKINIT client computed kdc-req-body checksum 9/663C6A7E40A95B3ACE8F70159CBF024338560C98 (Tue Jan 16 09:59:56 2018) [[sssd[krb5_child[12379]]]] [sss_child_krb5_trace_cb] (0x4000): [12379] 1516121996.991871: PKINIT client making RSA request (Tue Jan 16 09:59:56 2018) [[sssd[krb5_child[12379]]]] [sss_child_krb5_trace_cb] (0x4000): [12379] 1516121996.992264: Preauth module pkinit (14) (real) returned: -1765328360/Preauthentication failed (Tue Jan 16 09:59:56 2018) [[sssd[krb5_child[12379]]]] [sss_krb5_prompter] (0x4000): sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL. (Tue Jan 16 09:59:56 2018) [[sssd[krb5_child[12379]]]] [sss_krb5_prompter] (0x4000): Prompt [0][Password for USER@AD.NWRA.COM]. (Tue Jan 16 09:59:56 2018) [[sssd[krb5_child[12379]]]] [sss_krb5_prompter] (0x0020): Cannot handle password prompts. (Tue Jan 16 09:59:56 2018) [[sssd[krb5_child[12379]]]] [sss_child_krb5_trace_cb] (0x4000): [12379] 1516121996.993095: Preauth module encrypted_timestamp (2) (real) returned: -1765328254/Cannot read password ```(Tue Jan 16 09:59:56 2018) [[sssd[krb5_child[12379]]]] [sss_child_krb5_trace_cb] (0x4000): [12379] 1516121996.999390: Retrying AS request with master KDC (Tue Jan 16 09:59:56 2018) [[sssd[krb5_child[12379]]]] [sss_child_krb5_trace_cb] (0x4000): [12379] 1516121996.999659: Getting initial credentials for USER@AD.NWRA.COM (Tue Jan 16 09:59:56 2018) [[sssd[krb5_child[12379]]]] [sss_child_krb5_trace_cb] (0x4000): [12379] 1516121996.999939: FAST armor ccache: MEMORY:/var/lib/sss/db/fast_ccache_NWRA.COM (Tue Jan 16 09:59:57 2018) [[sssd[krb5_child[12379]]]] [sss_child_krb5_trace_cb] (0x4000): [12379] 1516121997.194: Retrieving host/hplinlap.cora.nwra.com@NWRA.COM -> krb5_ccache_conf_data/fast_avail/krbtgt\/AD.NWRA.COM\@AD.NWRA.COM@X-CACHECONF: from MEMORY:/var/lib/sss/db/fast_ccache_NWRA.COM with result: -1765328243/Matching credential not found (Tue Jan 16 09:59:57 2018) [[sssd[krb5_child[12379]]]] [sss_child_krb5_trace_cb] (0x4000): [12379] 1516121997.735: Sending request (196 bytes) to AD.NWRA.COM (master) (Tue Jan 16 09:59:57 2018) [[sssd[krb5_child[12379]]]] [get_and_save_tgt] (0x0020): 1542: [-1765328174][Pre-authentication failed: Preauthentication failed] (Tue Jan 16 09:59:57 2018) [[sssd[krb5_child[12379]]]] [map_krb5_error] (0x0020): 1655: [-1765328174][Pre-authentication failed: Preauthentication failed] (Tue Jan 16 09:59:57 2018) [[sssd[krb5_child[12379]]]] [k5c_send_data] (0x0200): Received error code 1432158221 (Tue Jan 16 09:59:57 2018) [[sssd[krb5_child[12379]]]] [pack_response_packet] (0x2000): response packet size: [4] (Tue Jan 16 09:59:57 2018) [[sssd[krb5_child[12379]]]] [k5c_send_data] (0x4000): Response sent.
So, I'm trying to just debug the pkinit process using kinit. It seems like this should essentially be equivalent to what sssd krb5_child is trying to do:
kinit -X X509_user_identity=PKCS11:/usr/lib64/opensc-pkcs11.so USER@AD.NWRA.COM
When I run this under strace, I see it communicating with pcscd and then prompting for the pin. But after getting the pin, it never contacts the KDC. It seems like it is failing in the local pkinit code. It does read the AD CA cert:
stat("/etc/krb5.conf", {st_mode=S_IFREG|0644, st_size=983, ...}) = 0 open("/etc/pki/ca-trust/source/anchors/ad.nwra.com.crt", O_RDONLY) = 5 fstat(5, {st_mode=S_IFREG|0644, st_size=2025, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fd32fee1000 read(5, "-----BEGIN CERTIFICATE-----\nMIIF"..., 4096) = 2025 read(5, "", 4096) = 0 close(5) = 0 munmap(0x7fd32fee1000, 4096) = 0 write(3, "[17537] 1516291652.556009: PKINI"..., 115[17537] 1516291652.556009: PKINIT client computed kdc-req-body checksum 9/9F896535A4705474CD6E5EDEA64BBCE2EFAD05B3 ) = 115 write(3, "[17537] 1516291652.556202: PKINI"..., 59[17537] 1516291652.556202: PKINIT client making DH request ) = 59 open("/dev/urandom", O_RDONLY|O_NOCTTY|O_NONBLOCK) = 5 fstat(5, {st_mode=S_IFCHR|0666, st_rdev=makedev(1, 9), ...}) = 0 poll([{fd=5, events=POLLIN}], 1, 10) = 1 ([{fd=5, revents=POLLIN}]) read(5, "\355\2339\340\21\200)\273\260ART"..., 48) = 48 close(5) = 0 getuid() = 30657 write(3, "[17537] 1516291652.703401: Preau"..., 108[17537] 1516291652.703401: Preauth module pkinit (16) (real) returned: -1765328360/Preauthentication failed ) = 108 write(3, "[17537] 1516291652.703630: PKINI"..., 115[17537] 1516291652.703630: PKINIT client computed kdc-req-body checksum 9/9F896535A4705474CD6E5EDEA64BBCE2EFAD05B3 ) = 115 write(3, "[17537] 1516291652.703858: PKINI"..., 60[17537] 1516291652.703858: PKINIT client making RSA request ) = 60 write(3, "[17537] 1516291652.704148: Preau"..., 108[17537] 1516291652.704148: Preauth module pkinit (14) (real) returned: -1765328360/Preauthentication failed ) = 108
I used openssl verify to check that the SC cert was issued by the AD CA cert. I'm at a loss here now.
Have you verified that the matching private key is on the Smartcard/Yubikey as well (with the same Label and ID)?
Which version of krb5_pkinit are you using? I can prepare a build with extended debug output.
The SC works with Windows login, so I think it is fine. Not really sure how to check with linux tools. Using krb5-pkinit-1.15.1-8.el7.x86_64.
<img alt="krb5-pkinit-1.15.1-8.el7_4debug.x86_64.rpm" src="/SSSD/sssd/issue/raw/files/228e74515f81d47bee9f81d30d9e4e3adaa8e60f043f5de0e12ad6c6dafb34b0-krb5-pkinit-1.15.1-8.el7_4debug.x86_64.rpm" />
Please note, you can use this debug build only with kinit when you switch back to test with SSSD you have to revert krb5-pkinit to the original version because the debug output will currently confuse SSSD's krb5_child process.
PIV Card Holder pin (PIV_II) PIN: cert 0 size 1834 id 1 idlen 1 pkinit_cert_matching: no matching rules found in config file process_option_ca_crl: processing catype ANCHORS, value 'FILE:/etc/pki/ca-trust/source/anchors/ad.nwra.com.crt' crypto_load_cas_and_crls: called with idtype FILE and catype ANCHORS kdc_options = 0x40810000 till = 1516383152 [18374] 1516296760.46806: PKINIT client computed kdc-req-body checksum 9/3719AD12651BACEAA01D87B8BC6E6BC2BB4A5150 pkinit_as_req_create pa_type = 16 [18374] 1516296760.46850: PKINIT client making DH request as_req: DH key transport algorithm building certificate chain size of certificate chain = 2 cert #0: /DC=com/DC=nwra/DC=ad/OU=NWRA/OU=XXXX mech = CKM_RSA_PKCS found 1 private keys (ok) C_SignInit: key type inconsistent failed to create pkcs7 signed data pkinit_as_req_create retval=-1765328360 error -1765328360 on pkinit_as_req_create; aborting PKINIT pkinit_client_process: returning -1765328360 (Preauthentication failed) [18374] 1516296760.164632: Preauth module pkinit (16) (real) returned: -1765328360/Preauthentication failed pkinit_client_process 0x55f7e25dd110 0x55f7e25e14c0 0x55f7e25fe720 0x55f7e25fe360 processing KRB5_PADATA_PK_AS_REQ_OLD pkinit_client_profile 0x55f7e25dd110 0x55f7e25e14c0 0x55f7e25fe720 0x55f7e25feb88 kdc_options = 0x40810000 till = 1516383152 [18374] 1516296760.164744: PKINIT client computed kdc-req-body checksum 9/3719AD12651BACEAA01D87B8BC6E6BC2BB4A5150 pkinit_as_req_create pa_type = 14 [18374] 1516296760.164770: PKINIT client making RSA request as_req: RSA key transport algorithm building certificate chain size of certificate chain = 2 cert #0: /DC=com/DC=nwra/DC=ad/OU=NWRA/OU=XXX mech = CKM_RSA_PKCS found 1 private keys (ok) C_SignInit: key type inconsistent failed to create pkcs7 signed data pkinit_as_req_create retval=-1765328360 error -1765328360 on pkinit_as_req_create; aborting PKINIT pkinit_client_process: returning -1765328360 (Preauthentication failed) [18374] 1516296760.165111: Preauth module pkinit (14) (real) returned: -1765328360/Preauthentication failed
So it appears that the problem is that the PIV certificate generated by the Windows Yubikey provisioning does not have the sign attribute set:
$ pkcs15-tool --list-keys Using reader with a card: Yubico Yubikey 4 OTP+U2F+CCID 00 00 Private RSA Key [PIV AUTH key] Object Flags : [0x1], private Usage : [0x22], decrypt, unwrap Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local ModLength : 2048 Key ref : 154 (0x9A) Native : yes Auth ID : 01 ID : 01 MD:guid : 0x'30313231386233383365633636653439393830333566303837383063393831370000000000000000'
Which pkinit_sign_data_pkcs11() -> C_SignInit() requires it to have.
At this point I have no idea how to get it to have this usage flag, or why the MIT->OpenSC process requires but Windows apparently does not.
This appears to be a bug in CSIS Enrollment Station, now filed here: https://github.com/CSIS/EnrollmentStation/issues/32
The keys created with it do not have the "sign" usage flag set. Keys created with the Windows YubiKey PIV Manager self-enrollment process do and work.
Metadata Update from @orion: - Issue close_status updated to: Invalid
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/4637
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.