Closed macgeneral closed 1 year ago
Hi,
the
krb5_child[..]: Pre-authentication failed: Cannot read password
error message is most probably and expected message which checking which pre-authentication methods are available on the KDC. It would be best if you can send the full logs of an authentication attempt with debug_level = 9
in the [pam]
and [domain/...]
sections of sssd.conf
.
bye, Sumit
Hi,
Thank you for your fast response. Unfortunately the logs are of limited use (to me at least).
Is there a way to increase the output of krb5_child? KRB5_TRACE=/dev/stdout
unfortunately doesn't work.
Sorry my bad, I expected it in systemd's journalctl...
And here's all other logs in the timeframe.
After setting pam_cert_db_path = /usr/share/ca-certificates/trust-source/company.bundle.crt
in the [pam]
section of the sssd.conf
, the p11_child
succeeds but it now takes 90 seconds for the password prompt (when issuing sudo) to fallback to the AD password. Seems like sssd_pam
runs into a timeout (because the ldap_child
fails to connect to one server and therefore fails to obtain the ceritficate)...
Specifying p11_uri = pkcs11:[..]
unfortunately doesn't help either.
Here are the current logs: sssd_DOMAIN.COMPANY.TLD.log
Hi,
thanks for the logs. You are right about the timeout. I would suggest to try to increase the search timeout to e.g. 20s by setting
ldap_search_timeout = 20
Since by default the userCertificate
attribute is not indexed the initial searches might take more than the default timeout of 6s. Later on SSSD will use the data stored in the local cache. Depending on the certificate content it might be possible to use a different matching rule to use attributes which are indexed in AD but for a start I would try to continue with the default rule and just increase the timeout.
bye, Sumit
Hi,
Sorry for the delay. Unfortunately setting ldap_search_timeout
didn't change anything.
Is there a way to use krb5_child
for pkinit instead of p11_child
?
What does Kerberos do differently?
user@host:~$ KRB5_TRACE=/dev/stdout kinit -X X509_user_identity='PKCS11:opensc-pkcs11.so'
[16755] 1636310195.707987: Getting initial credentials for aduser@DOMAIN.COMPANY.TLD
[16755] 1636310195.707989: Sending unauthenticated request
[16755] 1636310195.707990: Sending request (217 bytes) to DOMAIN.COMPANY.TLD
[16755] 1636310195.707991: Sending initial UDP request to dgram [ IPv4 address ]:88
[16755] 1636310195.707992: Received answer (325 bytes) from dgram [ IPv4 address ]:88
[16755] 1636310195.707993: Response was from primary KDC
[16755] 1636310195.707994: Received error from KDC: -1765328359/Additional pre-authentication required
[16755] 1636310195.707997: Preauthenticating using KDC method data
[16755] 1636310195.707998: Processing preauth types: PA-PK-AS-REQ (16), PA-ETYPE-INFO2 (19), PA-ENC-TIMESTAMP (2), PA_AS_FRESHNESS (150), PA-FX-FAST (136), PA-FX-COOKIE (133)
[16755] 1636310195.707999: Selected etype info: etype aes256-cts, salt "DOMAIN.COMPANY.TLDfirstname.lastname", params ""
[16755] 1636310195.708000: Received cookie: Microsof\x00
[16755] 1636310197.335577: PKINIT client received freshness token from KDC
[16755] 1636310197.335578: Preauth module pkinit (150) (info) returned: 0/Success
Company Corporate ID Card PIN:
[16755] 1636310202.400926: PKINIT loading CA certs and CRLs from FILE
[16755] 1636310202.400927: PKINIT client computed kdc-req-body checksum 9/4198425C152FBEFC4A3CB183CFC98661D5A1FB46
[16755] 1636310202.400929: PKINIT client making DH request
[16755] 1636310203.085172: Preauth module pkinit (16) (real) returned: 0/Success
[16755] 1636310203.085173: Produced preauth for next request: PA-FX-COOKIE (133), PA-PK-AS-REQ (16)
[16755] 1636310203.085174: Sending request (29469 bytes) to DOMAIN.COMPANY.TLD
[16755] 1636310203.085175: Initiating TCP connection to stream [ IPv4 address ]:88
[16755] 1636310203.085176: Sending TCP request to stream [ IPv4 address ]:88
[16755] 1636310204.255293: Received answer (4893 bytes) from stream [ IPv4 address ]:88
[16755] 1636310204.255294: Terminating TCP connection to stream [ IPv4 address ]:88
[16755] 1636310204.255295: Response was from primary KDC
[16755] 1636310204.255296: Processing preauth types: PA-PK-AS-REP (17)
[16755] 1636310204.255297: PKINIT client verified DH reply
[16755] 1636310204.255298: PKINIT client config accepts KDC dNSName SAN domain.company.tld
[16755] 1636310204.255299: PKINIT client config accepts KDC dNSName SAN DOMAIN
[16755] sub.domain.company.tld
[16755] 1636310204.255301: PKINIT client found dNSName SAN in KDC cert: domain.company.tld
[16755] 1636310204.255302: PKINIT client found dNSName SAN in KDC cert: DOMAIN
[16755] 1636310204.255303: PKINIT client matched KDC hostname domain.company.tld against dNSName SAN; EKU check still required
[16755] 1636310204.255304: PKINIT found acceptable EKU and digitalSignature KU
[16755] 1636310204.255305: PKINIT client found acceptable EKU in KDC cert
[16755] 1636310204.255306: PKINIT client used octetstring2key to compute reply key aes256-cts/E3E6
[16755] 1636310204.255307: Preauth module pkinit (17) (real) returned: 0/Success
[16755] 1636310204.255308: Produced preauth for next request: (empty)
[16755] 1636310204.255309: AS key determined by preauth: aes256-cts/E3E6
[16755] 1636310204.255310: Decrypted AS reply; session key is: aes256-cts/D074
[16755] 1636310204.255311: FAST negotiation: available
[16755] 1636310204.255312: Initializing KCM:aduserid:94866 with default princ aduser@DOMAIN.COMPANY.TLD
[16755] 1636310204.255313: Storing aduser@DOMAIN.COMPANY.TLD -> krbtgt/DOMAIN.COMPANY.TLD@DOMAIN.COMPANY.TLD in KCM:aduserid:94866
[16755] 1636310204.255314: Storing config in KCM:aduserid:94866 for krbtgt/DOMAIN.COMPANY.TLD@DOMAIN.COMPANY.TLD: fast_avail: yes
[16755] 1636310204.255315: Storing aduser@DOMAIN.COMPANY.TLD -> krb5_ccache_conf_data/fast_avail/krbtgt\/DOMAIN.COMPANY.TLD\@DOMAIN.COMPANY.TLD@X-CACHECONF: in KCM:aduserid:94866
[16755] 1636310204.255316: Storing config in KCM:aduserid:94866 for krbtgt/DOMAIN.COMPANY.TLD@DOMAIN.COMPANY.TLD: pa_type: 16
[16755] 1636310204.255317: Storing aduser@DOMAIN.COMPANY.TLD -> krb5_ccache_conf_data/pa_type/krbtgt\/DOMAIN.COMPANY.TLD\@DOMAIN.COMPANY.TLD@X-CACHECONF: in KCM:aduserid:94866
[16755] 1636310204.255318: Storing config in KCM:aduserid:94866 for krbtgt/DOMAIN.COMPANY.TLD@DOMAIN.COMPANY.TLD: pa_config_data: {"X509_user_identity":"PKCS11:module_name=opensc-pkcs11.so"}
[16755] 1636310204.255319: Storing aduser@DOMAIN.COMPANY.TLD -> krb5_ccache_conf_data/pa_config_data/krbtgt\/DOMAIN.COMPANY.TLD\@DOMAIN.COMPANY.TLD@X-CACHECONF: in KCM:aduserid:94866
Btw. are the following settings converted correctly from krb5.conf
to sssd.conf
syntax?
pkinit_identities = PKCS11:opensc-pkcs11.so
pam_cert_auth = TRUE
pkinit_anchors = FILE:/usr/share/ca-certificates/trust-source/company.bundle.crt
pam_cert_db_path = /usr/share/ca-certificates/trust-source/company.bundle.crt
pkinit_cert_match = <EKU>msScLogin,clientAuth
[DOMAIN]
[..]
certificate_rules = pki
[certificate_rule/pki]
certificate_match = <EKU>msScLogin,clientAuth
pkinit_kdc_hostname = domain.company.tld
pkinit_kdc_hostname = DOMAIN
???
Note: it seems like it's catching lots of other domain users information from the ldap in sssd_DOMAIN.COMPANY.TLD.log
so I assume something with the ldap configuration/lookup is wrong. I had to redact those values but you can search for redacted
in the log file.
Btw. are the following settings converted correctly from
krb5.conf
tosssd.conf
syntax?pkinit_identities = PKCS11:opensc-pkcs11.so
pam_cert_auth = TRUE
pkinit_anchors = FILE:/usr/share/ca-certificates/trust-source/company.bundle.crt
pam_cert_db_path = /usr/share/ca-certificates/trust-source/company.bundle.crt
pkinit_cert_match = <EKU>msScLogin,clientAuth
[DOMAIN] [..] certificate_rules = pki [certificate_rule/pki] certificate_match = <EKU>msScLogin,clientAuth
Hi,
this is wrong, you do not need a reference in the [domain/...]
section but use the domain name the the mapping and matching section with is called [certmap/...]
. Since you have <EKU>msScLogin
in the matching rule but might be worth to try a different mapping rule than the default rule (match whole certificate) which does not seem to work properly and causes the LDAP search timeout. I would suggest to use:
[certmap/your.domain.name/pki]
matchrule =
pkinit_kdc_hostname = domain.company.tld pkinit_kdc_hostname = DOMAIN
???
There is no corresponding SSSD option. All pkinit options should be kept in krb5.conf to allow manual pkinit as well. SSSD will not override to options to avoid confusion, but it needs some of the options to select and validate the certificate.
To your other question about krb5_child
and p11_child
. SSSD will use krb5_child
for pkinit but currently SSSD was not able to related to user and the certificate with the default mapping rule. That's why krb5_child
is not called for pkinit. I hope the new mapping rule which usese the userPrincipalName from the certificate works better.
bye, Sumit
Hi,
Thank you for your very fast response.
Unfortunately it still fails - but this time way faster.
I've tried to reduce the log output by searching for my name and attaching the 10 following lines for each match. I've redacted the OU= parts with [..] - but I think it successfully retrieves the certificate anyways.
Seems like sssd currently doesn't recognize my second smartcard reader (pcsc_scan
does though)- so I've switched to the internal one and retried (the ldap_child and DOMAIN log were empty for the timeframe on the second attempt):
From the logs I would assume that retrieving my certificate from LDAP was successful and that sssd used the cached version in the second attempt. It still fails to prompt for the smartcard PIN though.
[pam] [pam_eval_prompting_config] (0x4000): No prompting configuration found.
How can I fix this or do I miss something else? I would provide the PIN on stdin / tty (and later on in the GUI prompts of Polkit/GDM).
PS: I did set the p11_child_timeout = 30
in the [pam] section of the sssd.conf for testing purposes, but it just results in a longer time to wait for the error.
Hi,
it looks like p11_child is stuck in the OCSP check, please try to disable it by setting
certificate_verification = no_ocsp
in the [sssd]
section of sssd.conf
.
bye, Sumit
Hi,
(2021-11-08 10:49:05): [p11_child[11715]] [read_certs] (0x4000): found
cert[Auth [date-from
date-to]][/serialNumber=ADUSER/GN=Firstname/SN=Lastname/O=Company/CN=Lastname
Firstname]
(2021-11-08 10:49:05): [p11_child[11715]] [do_ocsp] (0x4000): Using OCSP
URL [http://ocsp.company.tld].
(2021-11-08 10:49:10): [p11_child[11715]] [do_ocsp] (0x4000): Nonce in OCSP
response is the same as the one used in the request.
(2021-11-08 10:49:10): [p11_child[11715]] [do_ocsp] (0x4000): OCSP check
was successful.
(2021-11-08 10:49:10): [p11_child[11715]] [read_certs] (0x4000): found
cert[Encr [date-from date-to]
03][/serialNumber=ADUSER/GN=Firstname/SN=Lastname/O=Company/CN=Lastname
Firstname]
(2021-11-08 10:49:10): [p11_child[11715]] [do_ocsp] (0x4000): Using OCSP
URL [http://ocsp.company.tld].
-- getting response from your OCSP server is very slow.
You can try to disable OCSP for a test - "certificate_verification =
no_ocsp" - see man sssd.conf
for details.
Or, alternatively, try to increase p11_child_timeout
- to allow more time
for communication with the OCSP server.
@macgeneral we are assuming the issue is fixed and configuration related. Please feel free to reopen if it is not the case.
Related Issue: #5377 OS: Manjaro (Arch Linux) SSSD Version 2.5.2 Kerberos 5 version 1.19.2 OpenSC 0.22.0 [gcc 11.1.0]
I have a working SSSD setup including SSSD-KCM as credential cache and everything works as expected.
My company uses SmartCards to authenticate users for example on AD and on Windows laptops users can login using either the SmartCard + PIN or their AD password. They also use self-signed Root and Intermediate CAs. On Linux I'm able to login using the SmartCard + PIN as well when using the
pam_krb5.so
module, but the same configuration does not work when I try to usepam_sss.so
with SmartCard authentication enabled instead.I enabled SmartCard authentication in SSSD by adding
ldap_user_certificate = userCertificate;binary
andpam_cert_auth = TRUE
in the respective configurations and creating the file/var/lib/sss/pubconf/pam_preauth_available
.Unfortunately I get the following error in the logs and
pam_sss.so
falls back to the AD password:When I use
p11_child
with the directory path as originally configured in/etc/krb5.conf
the certificate authentication fails:When concatenating all of them into a single file it succeeds:
But it still fails when I try to authenticate with it with the same error as mentioned above.
I was hoping maybe @sumit-bose can point me into the right direction :).
Thank you already in advance!
Relevant config snippets:
/etc/krb5.conf
```ini [libdefaults] dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 10h renew_lifetime = 7d forwardable = true proxiable = true default_realm = DOMAIN.COMPANY.TLD default_ccache_name = KCM: [appdefaults] pam = { ticket_lifetime = 10h renew_lifetime = 7d forwardable = true proxiable = true retain_after_close = false minimum_uid = 200000 krb4_convert = false } [realms] DOMAIN.COMPANY.TLD = { admin_server = hostname.domain.company.tld default_domain = DOMAIN.COMPANY.TLD # SmartCard pkinit_identities = PKCS11:opensc-pkcs11.so # DIR:/usr/share/ca-certificates/trust-source/anchors/ works as well pkinit_anchors = FILE:/usr/share/ca-certificates/trust-source/company.bundle.crt pkinit_cert_match =/etc/sssd/sssd.conf
```ini [sssd] config_file_version = 2 domains = DOMAIN.COMPANY.TLD services = nss, pam [kcm] krb5_renew_interval = 1h timeout = 3000 tgt_renewal = TRUE [pam] debug_level = 10 # no limit offline_credentials_expiration = 0 offline_failed_login_attempts = 10 ;offline_failed_login_delay = 5 pam_verbosity = 1 # SmartCard pam_cert_auth = TRUE [nss] default_shell = /bin/zsh filter_groups = root filter_users = root reconnection_retries = 3 ```/etc/sssd/conf.d/company.tld.conf
```ini [domain/DOMAIN.COMPANY.TLD] debug_level = 7 lookup_family_order = ipv4_only realmd_tags = manages-system joined-with-adcli cache_credentials = TRUE case_sensitive = FALSE default_shell = /bin/zsh override_shell = /bin/zsh auto_private_groups = TRUE enumerate = FALSE fallback_homedir = /home/%u min_id = 200000 use_fully_qualified_names = FALSE access_provider = ad auth_provider = ad chpass_provider = ad id_provider = ad ad_domain = domain.company.tld ad_enable_dns_sites = TRUE ad_enable_gc = TRUE ad_access_filter = (|(sAMAccountName=adusername)) ad_maximum_machine_account_password_age = 30 ad_hostname = hostname.domain.company.tld dyndns_update = TRUE dyndns_ttl = 3600 dyndns_refresh_interval = 43200 dyndns_update_ptr = FALSE dns_discovery_domain = domain.company.tld ldap_schema = ad ldap_sasl_mech = GSSAPI ldap_id_mapping = TRUE ldap_idmap_default_domain = domain.company.tld ldap_sasl_authid = hostname$ ldap_group_nesting_level = 0 ldap_user_name = sAMAccountName ldap_user_gecos = userPrincipalName ldap_user_uid_number = uidNumber ldap_user_gid_number = gidNumber ldap_group_gid_number = gidNumber ldap_user_home_directory = unixHomeDirectory ldap_user_shell = loginShell ldap_account_expire_policy = ad ldap_force_upper_case_realm = TRUE ldap_pwd_policy = mit_kerberos ldap_krb5_keytab = /etc/krb5.keytab # SmartCard authentication with pam_sss.so ldap_user_certificate = userCertificate;binary krb5_realm = DOMAIN.COMPANY.TLD krb5_validate = TRUE krb5_keytab = /etc/krb5.keytab krb5_store_password_if_offline = TRUE krb5_use_fast = try krb5_fast_principal = HOSTNAME$ krb5_renewable_lifetime = 10h krb5_lifetime = 10h krb5_renew_interval = 1h ```example for /etc/pam.d/[..]
```ini [..] # workaround to use the SmartCard PIN with krb5 #auth [success=done authinfo_unavail=ignore ignore=ignore default=ignore] pam_krb5.so search_k5login use_pkinit auth sufficient pam_sss.so ignore_authinfo_unavail [..] ```PS: Sorry for opening a new issue but I didn't want to necro-bump the old (and very long) thread.