Closed briantownjr closed 10 months ago
Log output from a gdm login attempt:
pam.log
(2023-11-09 17:35:41): [pam] [sss_dp_get_account_send] (0x0400): [CID#4] Creating request for [example.com][0x3][BE_REQ_INITGROUPS][name=radmin@example.com:-]
(2023-11-09 17:35:41): [pam] [sbus_dispatch] (0x4000): Dispatching.
(2023-11-09 17:35:41): [pam] [sss_domain_get_state] (0x1000): [CID#4] Domain example.com is Active
(2023-11-09 17:35:41): [pam] [cache_req_search_cache] (0x0400): [CID#4] CR #6: Looking up [radmin@example.com] in cache
(2023-11-09 17:35:41): [pam] [ldb] (0x10000): [CID#4] Added timed event "ldb_kv_callback": 0x56069f4d3960
(2023-11-09 17:35:41): [pam] [ldb] (0x10000): [CID#4] Added timed event "ldb_kv_timeout": 0x56069f4d3a30
(2023-11-09 17:35:41): [pam] [ldb] (0x10000): [CID#4] Running timer event 0x56069f4d3960 "ldb_kv_callback"
(2023-11-09 17:35:41): [pam] [ldb] (0x10000): [CID#4] Destroying timer event 0x56069f4d3a30 "ldb_kv_timeout"
(2023-11-09 17:35:41): [pam] [ldb] (0x10000): [CID#4] Destroying timer event 0x56069f4d3960 "ldb_kv_callback"
(2023-11-09 17:35:41): [pam] [cache_req_search_cache] (0x0400): [CID#4] CR #6: Object [radmin@example.com] was not found in cache
(2023-11-09 17:35:41): [pam] [cache_req_search_ncache_add_to_domain] (0x0400): [CID#4] CR #6: Adding [radmin@example.com] to negative cache
(2023-11-09 17:35:41): [pam] [is_user_local_by_name] (0x0400): [CID#4] User radmin@example.com is a local user
(2023-11-09 17:35:41): [pam] [sss_ncache_set_str] (0x0400): [CID#4] Adding [NCE/USER/example.com/radmin@example.com] to negative cache
(2023-11-09 17:35:41): [pam] [cache_req_global_ncache_add] (0x2000): [CID#4] CR #6: This request type does not support global negative cache
(2023-11-09 17:35:41): [pam] [cache_req_process_result] (0x0400): [CID#4] CR #6: Finished: Not found
(2023-11-09 17:35:41): [pam] [ldb] (0x10000): [CID#4] Added timed event "ldb_kv_callback": 0x56069f4d3890
(2023-11-09 17:35:41): [pam] [ldb] (0x10000): [CID#4] Added timed event "ldb_kv_timeout": 0x56069f4d3a30
(2023-11-09 17:35:41): [pam] [ldb] (0x10000): [CID#4] Running timer event 0x56069f4d3890 "ldb_kv_callback"
(2023-11-09 17:35:41): [pam] [ldb] (0x10000): [CID#4] Destroying timer event 0x56069f4d3a30 "ldb_kv_timeout"
(2023-11-09 17:35:41): [pam] [ldb] (0x10000): [CID#4] Destroying timer event 0x56069f4d3890 "ldb_kv_callback"
(2023-11-09 17:35:41): [pam] [pam_reply] (0x4000): [CID#4] pam_reply initially called with result [10]: User not known to the underlying authentication module. this result might be changed dur
ing processing
(2023-11-09 17:35:41): [pam] [ldb] (0x10000): [CID#4] Added timed event "ldb_kv_callback": 0x56069f4d3890
(2023-11-09 17:35:41): [pam] [ldb] (0x10000): [CID#4] Added timed event "ldb_kv_timeout": 0x56069f4d3960
(2023-11-09 17:35:41): [pam] [ldb] (0x10000): [CID#4] Running timer event 0x56069f4d3890 "ldb_kv_callback"
(2023-11-09 17:35:41): [pam] [ldb] (0x10000): [CID#4] Destroying timer event 0x56069f4d3960 "ldb_kv_timeout"
(2023-11-09 17:35:41): [pam] [ldb] (0x10000): [CID#4] Destroying timer event 0x56069f4d3890 "ldb_kv_callback"
Not sure why it's getting this: (2023-11-09 16:45:25): [pam] [pam_reply] (0x0200): [CID#1] Returning [10]: User not known to the underlying authentication module to the client
As the user can be looked up via id id btown
reports back user information
nsswitch.conf
passwd: files sss systemd
group: files sss systemd
netgroup: sss files
automount: sss files
services: sss files
p11_child.log
(2023-11-09 17:35:14): [p11_child[2373]] [do_card] (0x4000): [CID#3] common name: [p11-kit-trust].
(2023-11-09 17:35:14): [p11_child[2373]] [do_card] (0x4000): [CID#3] dll name: [/usr/lib64/pkcs11/p11-kit-trust.so].
(2023-11-09 17:35:14): [p11_child[2373]] [do_card] (0x4000): [CID#3] Description [/etc/pki/ca-trust/source] Manufacturer [PKCS#11 Kit] flags [1] removable [false] token present [true].
(2023-11-09 17:35:14): [p11_child[2373]] [do_card] (0x4000): [CID#3] Description [/usr/share/pki/ca-trust-source] Manufacturer [PKCS#11 Kit] flags [1] removable [false] token present [true].
(2023-11-09 17:35:14): [p11_child[2373]] [do_card] (0x4000): [CID#3] common name: [opensc].
(2023-11-09 17:35:14): [p11_child[2373]] [do_card] (0x4000): [CID#3] dll name: [/usr/lib64/pkcs11/opensc-pkcs11.so].
(2023-11-09 17:35:14): [p11_child[2373]] [do_card] (0x4000): [CID#3] Description [VMware Virtual USB CCID 00 00] Manufacturer [VMware] flags [7] removable [true] token present [true].
(2023-11-09 17:35:14): [p11_child[2373]] [do_card] (0x4000): [CID#3] Token label [PIV_II].
(2023-11-09 17:35:14): [p11_child[2373]] [do_card] (0x4000): [CID#3] Found [PIV_II] in slot [VMware Virtual USB CCID 00 00][0] of module [1][/usr/lib64/pkcs11/opensc-pkcs11.so].
(2023-11-09 17:35:14): [p11_child[2373]] [do_card] (0x4000): [CID#3] Login NOT required.
(2023-11-09 17:35:14): [p11_child[2373]] [read_certs] (0x4000): [CID#3] found cert[Certificate for PIV Authentication][/ISSUER/UID=btown/CN=Brian Town (affiliate)]
The cert contains UID=btown which should be mapping back to my AD. However GDM seems to autologin when the smartcard is plugged in to GDM at least, so it seems it's trying to grab info off the card instead of letting me supply the username I am logging in as and just doing the mapping
Hi,
would it be possible to attach the full log files?
bye, Sumit
And please also mention what SSSD version are you using.
Here you are: sssd-2.8.2-3.el8_8.x86_64 pcsc-lite-1.9.5-1.el8.x86_64 krb5-workstation-1.18.2-25.el8_8.x86_64 opensc-0.20.0-4.el8.x86_64 gdm-40.0-27.el8.x86_64
Last attempt at GDM login with same issue was 01:44 timeframe
p11_child.log sssd.log sssd_example.com.log sssd_ifp.log sssd_kcm.log sssd_nss.log sssd_pac.log sssd_pam.log sssd_ssh.log sssd_sudo.log
Hi,
it looks like your mapping rule is not use because the domain part in the section header [certmap/rst.gsfc.nasa.gov/pancakes]
must match the domain name in sssd.conf
, so [certmap/example.com/pancakes]
. Additionally please remove ldap_user_certificate = altSecurityIdentities
from sssd.conf, this break the default lookup for certificates where the whole certificate is used.
HTH
bye, Sumit
Hi,
it looks like your mapping rule is not use because the domain part in the section header
[certmap/rst.gsfc.nasa.gov/pancakes]
must match the domain name insssd.conf
, so[certmap/example.com/pancakes]
. Additionally please removeldap_user_certificate = altSecurityIdentities
from sssd.conf, this break the default lookup for certificates where the whole certificate is used.HTH
bye, Sumit
Sorry forgot to come back here, I noticed that as well after putting in a ticket with Redhat. There's still an issue when you run "authselect select sssd with-smartcard" where GDM seems to take over trying to figure out the username instead of letting you input it but this works fine with using pam_sss.so in the gdm-password pam configuration.
CLosing this out. Thanks for the help!
Hi, it looks like your mapping rule is not use because the domain part in the section header
[certmap/rst.gsfc.nasa.gov/pancakes]
must match the domain name insssd.conf
, so[certmap/example.com/pancakes]
. Additionally please removeldap_user_certificate = altSecurityIdentities
from sssd.conf, this break the default lookup for certificates where the whole certificate is used. HTH bye, SumitSorry forgot to come back here, I noticed that as well after putting in a ticket with Redhat. There's still an issue when you run "authselect select sssd with-smartcard" where GDM seems to take over trying to figure out the username instead of letting you input it but this works fine with using pam_sss.so in the gdm-password pam configuration.
Hi,
thanks for the update. Yes, this is a feature of GDM which is switched on by authselect by default. If you do not like it, you can disable it in GDM's dconf by setting enable-smartcard-authentication
to false
in the [org/gnome/login-screen]
dconf section.
bye, Sumit
CLosing this out. Thanks for the help!
System = Rocky Linux 8 running default GNOME desktop sssd pcsc-lite opensc krb5-workstation and other packages in order to join system to Windows AD domain Windows AD server = 2019 fully updated Using same configuration setup that works on Ubuntu 20.04
krb5.conf
sssd.conf
/etc/sssd/pki/sssd_auth_ca_db.pem has all certs associated to smartcard as well as KDC cert
Smartcard shows up on system
Logging in via terminal a kinit btown@example.com prompts for PIN and then gives me a ticket Logged in via console (Vmwork workstation with a terminal open) I enter a PIN and then get dropped to having to enter Password
One error during testing I found in the krb5_child.log:
Setting /etc/pam.d/sudo with auth sufficient pam_sss.so require_cert_auth
When running a sudo command I get
Please Enter a Smartcard
Followed immediately twice by
Please (re)insert a Different Smartcard Please (re)insert a Different Smartcard