Discussion:
[Freeipa-users] Smart Card login into an Active Directory User
s***@cox.net
2017-02-02 19:03:28 UTC
Permalink
I am running an IPA server (4.4.0) on RHEL 7.3 which is integrated with a Windows Active Directory server. I am trying to configure the IPA server to allow the Active Directory Users to log into Gnome with a CAC smart card. I’m having a hard time finding any instructions on how to do this. The problem I’m having is the Common Name from the smart card is not getting associated with the Active Directory account. I added the certificate from the smart card to the IPA server by creating a User ID override for the AD user account. I made sure to not use authconfig to configure smart cards and I added ifp to the services line in the sssd.conf file.

I have the following packages installed:
ipa-admintools.noarch 4.4.0-14.el7_3.4
ipa-client.x86_64 4.4.0-14.el7_3.4
ipa-client-common.noarch 4.4.0-14.el7_3.4
ipa-common.noarch 4.4.0-14.el7_3.4
ipa-python-compat.noarch 4.4.0-14.el7_3.4
ipa-server.x86_64 4.4.0-14.el7_3.4
ipa-server-common.noarch 4.4.0-14.el7_3.4
ipa-server-dns.noarch 4.4.0-14.el7_3.4
ipa-server-trust-ad.x86_64 4.4.0-14.el7_3.4

I can log in with AD user accounts that are configured with UserName and Passswords, so I know that the integration is working. When I try to log into GDM with my smart card, I don’t get prompted for a PIN number. It only asks for the password from the AD account.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-use
Sumit Bose
2017-02-03 08:33:13 UTC
Permalink
Post by s***@cox.net
I am running an IPA server (4.4.0) on RHEL 7.3 which is integrated with a Windows Active Directory server. I am trying to configure the IPA server to allow the Active Directory Users to log into Gnome with a CAC smart card. I’m having a hard time finding any instructions on how to do this. The problem I’m having is the Common Name from the smart card is not getting associated with the Active Directory account. I added the certificate from the smart card to the IPA server by creating a User ID override for the AD user account. I made sure to not use authconfig to configure smart cards and I added ifp to the services line in the sssd.conf file.
ipa-admintools.noarch 4.4.0-14.el7_3.4
ipa-client.x86_64 4.4.0-14.el7_3.4
ipa-client-common.noarch 4.4.0-14.el7_3.4
ipa-common.noarch 4.4.0-14.el7_3.4
ipa-python-compat.noarch 4.4.0-14.el7_3.4
ipa-server.x86_64 4.4.0-14.el7_3.4
ipa-server-common.noarch 4.4.0-14.el7_3.4
ipa-server-dns.noarch 4.4.0-14.el7_3.4
ipa-server-trust-ad.x86_64 4.4.0-14.el7_3.4
I can log in with AD user accounts that are configured with UserName and Passswords, so I know that the integration is working. When I try to log into GDM with my smart card, I don’t get prompted for a PIN number. It only asks for the password from the AD account.
Please have a look at the steps described in
https://bugzilla.redhat.com/show_bug.cgi?id=1300420#c9 . Please let me
know if you run into issues.

HTH

bye,
Sumit
Post by s***@cox.net
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to
Sumit Bose
2017-02-03 10:00:22 UTC
Permalink
Post by Sumit Bose
Post by s***@cox.net
I am running an IPA server (4.4.0) on RHEL 7.3 which is integrated with a Windows Active Directory server. I am trying to configure the IPA server to allow the Active Directory Users to log into Gnome with a CAC smart card. I’m having a hard time finding any instructions on how to do this. The problem I’m having is the Common Name from the smart card is not getting associated with the Active Directory account. I added the certificate from the smart card to the IPA server by creating a User ID override for the AD user account. I made sure to not use authconfig to configure smart cards and I added ifp to the services line in the sssd.conf file.
ipa-admintools.noarch 4.4.0-14.el7_3.4
ipa-client.x86_64 4.4.0-14.el7_3.4
ipa-client-common.noarch 4.4.0-14.el7_3.4
ipa-common.noarch 4.4.0-14.el7_3.4
ipa-python-compat.noarch 4.4.0-14.el7_3.4
ipa-server.x86_64 4.4.0-14.el7_3.4
ipa-server-common.noarch 4.4.0-14.el7_3.4
ipa-server-dns.noarch 4.4.0-14.el7_3.4
ipa-server-trust-ad.x86_64 4.4.0-14.el7_3.4
I can log in with AD user accounts that are configured with UserName and Passswords, so I know that the integration is working. When I try to log into GDM with my smart card, I don’t get prompted for a PIN number. It only asks for the password from the AD account.
Please have a look at the steps described in
https://bugzilla.redhat.com/show_bug.cgi?id=1300420#c9 . Please let me
know if you run into issues.
Please also check if you followed the steps in
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/smart-cards.html

HTH

bye,
Sumit
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://
s***@cox.net
2017-02-03 20:59:26 UTC
Permalink
Post by Sumit Bose
Post by s***@cox.net
I am running an IPA server (4.4.0) on RHEL 7.3 which is integrated with a Windows Active Directory server. I am trying to configure the IPA server to allow the Active Directory Users to log into Gnome with a CAC smart card. I’m having a hard time finding any instructions on how to do this. The problem I’m having is the Common Name from the smart card is not getting associated with the Active Directory account. I added the certificate from the smart card to the IPA server by creating a User ID override for the AD user account. I made sure to not use authconfig to configure smart cards and I added ifp to the services line in the sssd.conf file.
ipa-admintools.noarch 4.4.0-14.el7_3.4
ipa-client.x86_64 4.4.0-14.el7_3.4
ipa-client-common.noarch 4.4.0-14.el7_3.4
ipa-common.noarch 4.4.0-14.el7_3.4
ipa-python-compat.noarch 4.4.0-14.el7_3.4
ipa-server.x86_64 4.4.0-14.el7_3.4
ipa-server-common.noarch 4.4.0-14.el7_3.4
ipa-server-dns.noarch 4.4.0-14.el7_3.4
ipa-server-trust-ad.x86_64 4.4.0-14.el7_3.4
I can log in with AD user accounts that are configured with UserName and Passswords, so I know that the integration is working. When I try to log into GDM with my smart card, I don’t get prompted for a PIN number. It only asks for the password from the AD account.
Please have a look at the steps described in
https://bugzilla.redhat.com/show_bug.cgi?id=1300420#c9 . Please let me
know if you run into issues.
Please also check if you followed the steps in
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/smart-cards.html

HTH

bye,
Sumit
--
Hello Sumit,
I followed the instructions in comment #9. I modified the /etc/pam.d/smartcard-auth file and the two files that are under /etc/dconf/db/distro.d/. But it still doesn't work. GDM will prompt me for a password not the PIN when I plug in the smart card. Do I need to run "authconfig --enablesmartcard --smartcardmodule=no_module --update" before I change the files ? Should I remove pam_pkcs11 too ? I have been able to get AD smart card login working using standard authconfig, pam_pkcs11, and the cn_map. I just don't want to use the cn_map file and have to list all of my user's "Common Names" in this file.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to
Sumit Bose
2017-02-08 08:45:13 UTC
Permalink
Post by Sumit Bose
Post by Sumit Bose
Post by s***@cox.net
I am running an IPA server (4.4.0) on RHEL 7.3 which is integrated with a Windows Active Directory server. I am trying to configure the IPA server to allow the Active Directory Users to log into Gnome with a CAC smart card. I’m having a hard time finding any instructions on how to do this. The problem I’m having is the Common Name from the smart card is not getting associated with the Active Directory account. I added the certificate from the smart card to the IPA server by creating a User ID override for the AD user account. I made sure to not use authconfig to configure smart cards and I added ifp to the services line in the sssd.conf file.
ipa-admintools.noarch 4.4.0-14.el7_3.4
ipa-client.x86_64 4.4.0-14.el7_3.4
ipa-client-common.noarch 4.4.0-14.el7_3.4
ipa-common.noarch 4.4.0-14.el7_3.4
ipa-python-compat.noarch 4.4.0-14.el7_3.4
ipa-server.x86_64 4.4.0-14.el7_3.4
ipa-server-common.noarch 4.4.0-14.el7_3.4
ipa-server-dns.noarch 4.4.0-14.el7_3.4
ipa-server-trust-ad.x86_64 4.4.0-14.el7_3.4
I can log in with AD user accounts that are configured with UserName and Passswords, so I know that the integration is working. When I try to log into GDM with my smart card, I don’t get prompted for a PIN number. It only asks for the password from the AD account.
Please have a look at the steps described in
https://bugzilla.redhat.com/show_bug.cgi?id=1300420#c9 . Please let me
know if you run into issues.
Please also check if you followed the steps in
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/smart-cards.html
HTH
bye,
Sumit
--
Hello Sumit,
I followed the instructions in comment #9. I modified the /etc/pam.d/smartcard-auth file and the two files that are under /etc/dconf/db/distro.d/. But it still doesn't work. GDM will prompt me for a password not the PIN when I plug in the smart card. Do I need to run "authconfig --enablesmartcard --smartcardmodule=no_module --update" before I change the files ? Should I remove pam_pkcs11 too ? I have been able to get AD smart card login working using standard authconfig, pam_pkcs11, and the cn_map. I just don't want to use the cn_map file and have to list all of my user's "Common Names" in this file.
With the steps you described running authconfig is not needed and might
even do more harm than good. I think it would be best check the SSSD
logs next.

Please add 'debug_level = 9' at least to the [pam] section of sssd.conf
and restart SSSD (see https://fedorahosted.org/sssd/wiki/Troubleshooting
for details). Now try to authenticate again. The relevant log files are
/var/log/sssd/sssd_pam.log and /var/log/sssd/p11_child.log. The latter
e.g. should show if there are any issues validation the certificate.

Feel free to send the logs file to me directly if you do not want to
share them on a public list.

HTH

bye,
Sumit
Post by Sumit Bose
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.or
Loading...