sumit-bose
commented
7 months ago Hi,
can you share krb5_child.log as well?
bye, Sumit
Open lo1ol opened 7 months ago
sumit-bose
commented
7 months ago Hi,
can you share krb5_child.log as well?
bye, Sumit
lo1ol
commented
7 months ago sumit-bose
commented
7 months ago Hi,
thanks for the logs. The KDC is returning KRB5KDC_ERR_KEY_EXP ("Received error from KDC: -1765328361/Password has expired" in krb5_child.log. So I would think that the KDC is requesting a password renewal before any other credentials , like Smartcard, can proceed. Unfortunately SSSD does not handle this properly and still prompt the user for the PIN. This has to be fixed.
Can you try to call kinit manually with options to use the Smartcard for authentication and check if it is asking to renew the password first?
I understand that this is not the behavior you are expecting but as a client we cannot overwrite what the KDC is expecting.
bye, Sumit
lo1ol
commented
7 months ago Thank you for you advise. I didn't know that I can auth via smart-card using kinit app.
BTW. After your suggestion I start to think about smart card user authentication directly in my pam module using krb5 (like kinit do it). Will it be good if I start to get kerberos tickets for smart card users in my pam module (in pamauthenticate), and another pam* functions still will be called from pam_sss module?
sumit-bose
commented
7 months ago Thank you for you advise. I didn't know that I can auth via smart-card using kinit app.
BTW. After your suggestion I start to think about smart card user authentication directly in my pam module using krb5 (like kinit do it). Will it be good if I start to get kerberos tickets for smart card users in my pam module (in pamauthenticate), and another pam* functions still will be called from pam_sss module?
Hi,
it depends on your PAM configuration how the PAM modules are called but you can configure it in such a way that multiple PAM modules must run successfully for an authentication to succeed. However, since SSSD called by pam_sss will already request a Kerberos ticket for you with the help of the Smartcard I wonder what would be the use-case to let another PAM module do this as well? And if you do not want to use SSSD, then there is e.g. the pam_krb5 module which can use the Smartcard to request a Kerberos ticket as well.
HTH
bye, Sumit
lo1ol
commented
7 months ago We just faced with a lot of problems of pam_sss:
I tried to inform you about all of them, but difficulties exist. So, may be it should be better just get Kerberous ticket by myown, if it's everything what your pam is do. It could resolve a lot of restrictions in my project...
lo1ol
commented
6 months ago Can you please answer to my question? It's pretty important for me. I already fix all of this promplems, by calling kinit inside my pam. If it's equal to what pam_sssd do, so, it is ok.
If what I ask is unclear, I can try to reexplain it more clearly.
sumit-bose
commented
6 months ago Can you please answer to my question? It's pretty important for me. I already fix all of this promplems, by calling
kinitinside my pam. If it's equal to whatpam_sssddo, so, it is ok.If what I ask is unclear, I can try to reexplain it more clearly.
Hi,
besides getting the TGT like kinit SSSD might do this with a FAST tunnel (-T option of kinit) which includes requesting the needed armor tickets first, after getting the TGT SSSD might try to validate the TGT by requesting a service ticket with the TGT similar as the kvno command does, as recommended by Microsoft SSSD might validate the PAC in an Active Directory environment. But for just authentication the user what kinit does is sufficient and SSSD might just do this in a classical Kerberos environment where clients are not joined to a domain, i.e. have a host keytab which allows the host to authenticate itself.
HTH
bye, Sumit
I noticed that expiration of password affect on authentication via smart card
To reproduce:
If disconnect smart card, login via password, change pin and try login via smart card again -- everything is work.
Expected behaviour: expired password doesn't affect on certificate auth:
sssd_pam.log sssd_rtkn.test.log