Menu Close

Chapter 7. Troubleshooting authentication with smart cards

The following sections describe how to resolve some of the issues you might encounter when setting up smart card authentication.

7.1. Testing smart card access on the system

This procedure describes how to test whether you can access your smart card.

Prerequisites

  • You have installed and configured your IdM Server and client for use with smart cards.
  • You have installed the certutil tool from the nss-tools package.
  • You have the PIN or password for your smart card.

Procedure

  1. Using the lsusb command, verify that the smart card reader is visible to the operating system:

    $ lsusb
    Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
    Bus 001 Device 003: ID 072f:b100 Advanced Card Systems, Ltd ACR39U
    Bus 001 Device 002: ID 0627:0001 Adomax Technology Co., Ltd
    Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub

    For more information on the smart cards and readers tested and supported in RHEL, see Smart Card support in RHEL 9.

  2. Ensure that the pcscd service and socket are enabled and running:

    $ systemctl status pcscd.service pcscd.socket
    
    ● pcscd.service - PC/SC Smart Card Daemon
          Loaded: loaded (/usr/lib/systemd/system/pcscd.service; indirect;
    vendor preset: disabled)
          Active: active (running) since Fri 2021-09-24 11:05:04 CEST; 2
    weeks 6 days ago
    TriggeredBy: ● pcscd.socket
            Docs: man:pcscd(8)
        Main PID: 3772184 (pcscd)
           Tasks: 12 (limit: 38201)
          Memory: 8.2M
             CPU: 1min 8.067s
          CGroup: /system.slice/pcscd.service
                  └─3772184 /usr/sbin/pcscd --foreground --auto-exit
    
    ● pcscd.socket - PC/SC Smart Card Daemon Activation Socket
          Loaded: loaded (/usr/lib/systemd/system/pcscd.socket; enabled;
    vendor preset: enabled)
          Active: active (running) since Fri 2021-09-24 11:05:04 CEST; 2
    weeks 6 days ago
        Triggers: ● pcscd.service
          Listen: /run/pcscd/pcscd.comm (Stream)
          CGroup: /system.slice/pcscd.socket
  3. Using the p11-kit list-modules command, display information about the configured smart card and the tokens present on the smart card:

    $ p11-kit list-modules
    p11-kit-trust: p11-kit-trust.so
    [...]
    opensc: opensc-pkcs11.so
        library-description: OpenSC smartcard framework
        library-manufacturer: OpenSC Project
        library-version: 0.20
        token: MyEID (sctest)
            manufacturer: Aventra Ltd.
            model: PKCS#15
            serial-number: 8185043840990797
            firmware-version: 40.1
            flags:
                   rng
                   login-required
                   user-pin-initialized
                   token-initialized
  4. Verify you can access the contents of your smart card:

    $ pkcs11-tool --list-objects --login
    Using slot 0 with a present token (0x0)
    Logging in to "MyEID (sctest)".
    Please enter User PIN:
    Private Key Object; RSA
      label:      Certificate
      ID:         01
      Usage:      sign
      Access:     sensitive
    Public Key Object; RSA 2048 bits
      label:      Public Key
      ID:         01
      Usage:      verify
      Access:     none
    Certificate Object; type = X.509 cert
      label:      Certificate
      subject:    DN: O=IDM.EXAMPLE.COM, CN=idmuser1
      ID:         01
  5. Display the contents of the certificate on your smart card using the certutil command:

    1. Run the following command to determine the correct name of your certificate:

      $ certutil -d /etc/pki/nssdb -L -h all
      
      Certificate Nickname                                         Trust Attributes
                                                                   SSL,S/MIME,JAR/XPI
      
      Enter Password or Pin for "MyEID (sctest)":
      Smart Card CA 0f5019a8-7e65-46a1-afe5-8e17c256ae00           CT,C,C
      MyEID (sctest):Certificate                                   u,u,u
    2. Display the contents of the certificate on your smart card:

      Note

      Ensure the name of the certificate is an exact match for the output displayed in the previous step, in this example MyEID (sctest):Certificate.

      $ certutil -d /etc/pki/nssdb -L -n "MyEID (sctest):Certificate"
      
      Enter Password or Pin for "MyEID (sctest)":
      Certificate:
          Data:
              Version: 3 (0x2)
              Serial Number: 15 (0xf)
              Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
              Issuer: "CN=Certificate Authority,O=IDM.EXAMPLE.COM"
              Validity:
                  Not Before: Thu Sep 30 14:01:41 2021
                  Not After : Sun Oct 01 14:01:41 2023
              Subject: "CN=idmuser1,O=IDM.EXAMPLE.COM"
              Subject Public Key Info:
                  Public Key Algorithm: PKCS #1 RSA Encryption
                  RSA Public Key:
                      Modulus:
                          [...]
                      Exponent: 65537 (0x10001)
              Signed Extensions:
                  Name: Certificate Authority Key Identifier
                  Key ID:
                      e2:27:56:0d:2f:f5:f2:72:ce:de:37:20:44:8f:18:7f:
                      2f:56:f9:1a
      
                  Name: Authority Information Access
                  Method: PKIX Online Certificate Status Protocol
                  Location:
                      URI: "http://ipa-ca.idm.example.com/ca/ocsp"
      
                  Name: Certificate Key Usage
                  Critical: True
                  Usages: Digital Signature
                          Non-Repudiation
                          Key Encipherment
                          Data Encipherment
      
                  Name: Extended Key Usage
                      TLS Web Server Authentication Certificate
                      TLS Web Client Authentication Certificate
      
                  Name: CRL Distribution Points
                  Distribution point:
                      URI: "http://ipa-ca.idm.example.com/ipa/crl/MasterCRL.bin"
                      CRL issuer:
                          Directory Name: "CN=Certificate Authority,O=ipaca"
      
                  Name: Certificate Subject Key ID
                  Data:
                      43:23:9f:c1:cf:b1:9f:51:18:be:05:b5:44:dc:e6:ab:
                      be:07:1f:36
      
          Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
          Signature:
              [...]
          Fingerprint (SHA-256):
              6A:F9:64:F7:F2:A2:B5:04:88:27:6E:B8:53:3E:44:3E:F5:75:85:91:34:ED:48:A8:0D:F0:31:5D:7B:C9:E0:EC
          Fingerprint (SHA1):
              B4:9A:59:9F:1C:A8:5D:0E:C1:A2:41:EC:FD:43:E0:80:5F:63:DF:29
      
          Mozilla-CA-Policy: false (attribute missing)
          Certificate Trust Flags:
              SSL Flags:
                  User
              Email Flags:
                  User
              Object Signing Flags:
                  User

Additional resources

  • See certutil(1) man page.

7.2. Troubleshooting smart card authentication with SSSD

This procedure describes how to troubleshoot authentication with SSSD using smart cards.

Prerequisites

  • You have installed and configured your IdM Server and client for use with smart cards.
  • You have installed the sssd-tools package.
  • You are able to detect your smart card reader and display the contents of your smart card. See Testing smart card access on the system.

Procedure

  1. Verify you can authenticate with your smart card using su:

    $ su - idmuser1 -c ‘su - idmuser1 -c whoami’
    PIN for MyEID (sctest):
    idmuser1

    If you are not prompted for the smart card PIN, and either a password prompt or an authorization error are returned, check the SSSD logs. See Troubleshooting authentication with SSSD in IdM for information on logging in SSSD. The following is an example of an authentication failure:

    $ su - idmuser1 -c ‘su - idmuser1 -c whoami’
    PIN for MyEID (sctest):
    su: Authentication failure

    If the SSSD logs indicate an issue from the krb5_child, similar to the following, you may have an issue with your CA certificates. To troubleshoot issues with certificates, see Verifying that IdM Kerberos KDC can use Pkinit and that the CA certificates are correctly located.

    [Pre-authentication failed: Failed to verify own certificate (depth 0): unable to get local issuer certificate: could not load the shared library]

    If the SSSD logs indicate a timeout either from p11_child or krb5_child, you may need to increase the SSSD timeouts and try authenticating again with your smart card. See Increasing SSSD timeouts for details on how to increase the timeouts.

  2. Verify your GDM smart card authentication configuration is correct. A success message for PAM authentication should be returned as shown below:

    # sssctl user-checks -s gdm-smartcard "idmuser1" -a auth
    user: idmuser1
    action: auth
    service: gdm-smartcard
    
    SSSD nss user lookup result:
     - user name: idmuser1
     - user id: 603200210
     - group id: 603200210
     - gecos: idm user1
     - home directory: /home/idmuser1
     - shell: /bin/sh
    
    SSSD InfoPipe user lookup result:
     - name: idmuser1
     - uidNumber: 603200210
     - gidNumber: 603200210
     - gecos: idm user1
     - homeDirectory: /home/idmuser1
     - loginShell: /bin/sh
    
    testing pam_authenticate
    
    PIN for MyEID (sctest)
    pam_authenticate for user [idmuser1]: Success
    
    PAM Environment:
     - PKCS11_LOGIN_TOKEN_NAME=MyEID (sctest)
     - KRB5CCNAME=KCM:

    If an authentication error, similar to the following, is returned, check the SSSD logs to try and determine what is causing the issue. See Troubleshooting authentication with SSSD in IdM for information on logging in SSSD.

    pam_authenticate for user [idmuser1]: Authentication failure
    
    PAM Environment:
     - no env -

    If PAM authentication continues to fail, clear your cache and run the command again.

    # sssctl cache-remove
    SSSD must not be running. Stop SSSD now? (yes/no) [yes] yes
    Creating backup of local data…
    Removing cache files…
    SSSD needs to be running. Start SSSD now? (yes/no) [yes] yes

7.3. Verifying that IdM Kerberos KDC can use PKINIT and that the CA certificates are correctly located

This procedure describes how to verify that IdM Kerberos KDC can use PKINIT and also describes how to verify your CA certificates are correctly located.

Prerequisites

  • You have installed and configured your IdM Server and client for use with smart cards.
  • You are able to detect your smart card reader and display the contents of your smart card. See Testing smart card access on the system.

Procedure

  1. Run the kinit utility to authenticate as the idmuser1 with the certificate stored on your smart card:

    $ kinit -X X509_user_identity=PKCS11: idmuser1
    MyEID (sctest)                   PIN:
  2. Enter your smart card PIN. If you are not prompted for your PIN, check that you can detect your smart card reader and display the contents of your smart card. See Testing smart card authentication.
  3. If your PIN is accepted and you are then prompted for your password, you might be missing your CA signing certificate.

    1. Verify the CA chain is listed in the default certificate bundle file using openssl commands:

      $ openssl crl2pkcs7 -nocrl -certfile /var/lib/ipa-client/pki/ca-bundle.pem | openssl pkcs7 -print_certs -noout
      subject=O = IDM.EXAMPLE.COM, CN = Certificate Authority
      
      issuer=O = IDM.EXAMPLE.COM, CN = Certificate Authority
    2. Verify the validity of your certificates:

      1. Find the user authentication certificate ID for idmuser1:

        $ pkcs11-tool --list-objects --login
        [...]
        Certificate Object; type = X.509 cert
          label:      Certificate
          subject:    DN: O=IDM.EXAMPLE.COM, CN=idmuser1
         ID: 01
      2. Read the user certificate information from the smart card in DER format:

        $ pkcs11-tool --read-object --id 01 --type cert --output-file cert.der
        Using slot 0 with a present token (0x0)
      3. Convert the DER certificate to PEM format:

        $ openssl x509 -in cert.der -inform DER -out cert.pem -outform PEM
      4. Verify the certificate has valid issuer signatures up to the CA:

        $ openssl verify -CAfile /var/lib/ipa-client/pki/ca-bundle.pem <path>/cert.pem
        cert.pem: OK
  4. If your smart card contains several certificates, kinit might fail to choose the correct certificate for authentication. In this case, you need to specify the certificate ID as an argument to the kinit command using the certid=<ID> option.

    1. Check how many certificates are stored on the smart card and get the certificate ID for the one you are using:

      $ pkcs11-tool --list-objects --type cert --login
      Using slot 0 with a present token (0x0)
      Logging in to "MyEID (sctest)".
      Please enter User PIN:
      Certificate Object; type = X.509 cert
        label:      Certificate
        subject:    DN: O=IDM.EXAMPLE.COM, CN=idmuser1
        ID:         01
      Certificate Object; type = X.509 cert
        label:      Second certificate
        subject:    DN: O=IDM.EXAMPLE.COM, CN=ipauser1
        ID:         02
    2. Run kinit with certificate ID 01:

      $ kinit -X kinit -X X509_user_identity=PKCS11:certid=01 idmuser1
      MyEID (sctest)                   PIN:
  5. Run klist to view the contents of the Kerberos credentials cache:

    $ klist
    Ticket cache: KCM:0:11485
    Default principal: idmuser1@EXAMPLE.COM
    
    Valid starting       Expires              Service principal
    10/04/2021 10:50:04  10/05/2021 10:49:55  krbtgt/EXAMPLE.COM@EXAMPLE.COM
  6. Destroy your active Kerberos tickets once you have finished:

    $ kdestroy -A

Additional resources

  • See kinit man page.
  • See kdestroy man page.

7.4. Increasing SSSD timeouts

If you are having issues authenticating with a smart card, check the krb5_child.log and the p11_child.log file for timeout entries similar to the following:

krb5_child: Timeout for child [9607] reached…​..consider increasing value of krb5_auth_timeout.

If there is a timeout entry in the log file, try increasing the SSSD timeouts as outlined in this procedure.

Prerequisites

  • You have configured your IdM Server and client for smart card authentication.

Procedure

  1. Open the sssd.conf file on the IdM client:

    # vim /etc/sssd/sssd.conf
  2. In your domain section, for example [domain/idm.example.com], add the following option:

    krb5_auth_timeout = 60
  3. In the [pam] section, add the following:

    p11_child_timeout = 60
  4. Clear the SSSD cache:

    # sssctl cache-remove
    SSSD must not be running. Stop SSSD now? (yes/no) [yes] yes
    Creating backup of local data…
    Removing cache files…
    SSSD needs to be running. Start SSSD now? (yes/no) [yes] yes

Once you have increased the timeouts, try authenticating again using your smart card. See Testing smart card authentication for more details.

7.5. Troubleshooting certificate mapping and matching rules

If you are having issues authenticating with a smart card, check that you have linked your smart card certificate correctly to a user. By default, a certificate is associated with a user when the user entry contains the full certificate as part of the usercertificate attribute. However, if you have defined certificate mapping rules, you may have changed how certificates are associated with users. To troubleshoot certificate mapping and matching rules, refer to the following sections:

Note

If you are using your smart card to authenticate using SSH, you need to add the full certificate to the user entry in Identity Management (IdM). If you are not using your smart card to authenticate using SSH, you can add certificate mapping data using the ipa user-add-certmapdata command.

7.5.1. Checking how the certificates are mapped to users

By default, a certificate is associated with a user when the user entry contains the full certificate as part of the usercertificate attribute. However, if you have defined certificate mapping rules, you may have changed how certificates are associated with users. This procedure describes how to check your certificate mapping rules.

Prerequisites

Procedure

  1. Verify the certificate mapping rules currently configured for IdM:

    # ipa certmaprule-find
    -------------------------------------------
    1 Certificate Identity Mapping Rule matched
    -------------------------------------------
      Rule name: smartcardrule
      Mapping rule: (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>{subject_dn!nss_x500})
      Matching rule: <ISSUER>CN=Certificate Authority,O=IDM.EXAMPLE.COM
      Enabled: TRUE
    ----------------------------
    Number of entries returned 1
    ----------------------------

    You can expect to see one of the following mapping rules defined:

    • ipacertmapdata indicates that the IdM user entry certmapdata attribute is used.
    • altSecurityIdentities specifies that Active Directory’s user entry name mapping attribute is used.
    • userCertificate;binary= indicates that the whole certificate in either IdM or AD is used.

    You can define many matching options but some of the typically configured options are as follows:

    • <ISSUER>CN=[…​] specifies the issuer attribute of the certificate being used is checked to make sure it matches this.
    • <SUBJECT>.*,DC=MY,DC=DOMAIN indicates the subject of the certificate is checked.
  2. Enable System Security Services Daemon (SSSD) logging by adding debug_level = 9 to the /etc/sssd/sssd.conf file on the IdM server:

    [domain/idm.example.com]
    ...
    debug_level = 9
  3. Restart SSSD:

    # systemctl restart sssd
  4. You should see the following entry in the /var/log/sssd/sssd_idm.example.com.log file if the mapping is read correctly:

    [be[idm.example.com]] [sdap_setup_certmap] (0x4000): Trying to add rule [smartcardrule][-1][<ISSUER>CN=Certificate Authority,O=IDM.EXAMPLE.COM][(|(userCertificate;binary={cert!bin})(ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>{subject_dn!nss_x500}))].
  5. If your mapping rule contains an invalid syntax, an entry similar to the following can be seen in the log file:

    [be[idm.example.com]]] [sss_certmap_init] (0x0040): sss_certmap initialized.
    [be[idm.example.com]]] [ipa_certmap_parse_results] (0x4000): Trying to add rule [smartcardrule][-1][<ISSUER>CN=Certificate Authority,O=IDM.EXAMPLE.COM][(ipacertmapdata=X509:<I>{issuer_dn!x509}<S>{subject_dn})].
    [be[idm.example.com]]] [parse_template] (0x0040): Parse template invalid.
    [be[idm.example.com]]] [parse_ldap_mapping_rule] (0x0040): Failed to add template.
    [be[idm.example.com]]] [parse_mapping_rule] (0x0040): Failed to parse LDAP mapping rule.
    [be[idm.example.com]]] [ipa_certmap_parse_results] (0x0020): sss_certmap_add_rule failed for rule [smartcardrule], skipping. Please check for typos and if rule syntax is supported.
    [be[idm.example.com]]] [ipa_subdomains_certmap_done] (0x0040): Unable to parse certmap results [22]: Invalid argument
    [be[idm.example.com]]] [ipa_subdomains_refresh_certmap_done] (0x0020): Failed to read certificate mapping rules [22]: Invalid argument
  6. Check your mapping rule syntax.

    # ipa certmaprule-show smartcardrule
      Rule name: smartcardrule
      Mapping rule: (|(userCertificate;binary={cert!bin})(ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>{subject_dn!nss_x500}))
      Matching rule: <ISSUER>CN=Certificate Authority,O=IDM.EXAMPLE.COM
      Domain name: ipa.test
      Enabled: TRUE
  7. If required, modify your certificate mapping rule:

    # ipa certmaprule-mod smartcardrule --maprule '(ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>{subject_dn!nss_x500})'

Additional resources

  • See the sss-certmap man page.

7.5.2. Checking the user associated with a smart card certificate

If you are having issues authenticating with a smart card, verify the correct user is associated with your smart card certificate.

Prerequisites

Procedure

  1. Verify the user is associated with your smart card certificate:

    # ipa certmap-match cert.pem
    --------------
    1 user matched
    --------------
      Domain: IDM.EXAMPLE.COM
      User logins: idmuser1
    ----------------------------
    Number of entries returned 1
    ----------------------------

    If the user or domain are not correct, check how your certificates are mapped to users. See Checking how the certificates are mapped to users.

  2. Check if the user entry contains the certificate:

    # ipa user-show idmuser1
      User login: idmuser1
    [...]
    Certificate:MIIEejCCAuKgAwIBAgIBCzANBgkqhkiG9w0BAQsFADAzMREwDwYDVQQKDAhJUEEuVEVTVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XD
  3. If your user entry does not contain the certificate, add your base-64 encoded certificate to the user entry:

    1. Create an environment variable containing the certificate with the header and footer removed and concatenated into a single line, which is the format expected by the ipa user-add-cert command:

      $ export CERT=`openssl x509 -outform der -in idmuser1.crt | base64 -w0 -`

      Note that the certificate in the idmuser1.crt file must be in PEM format.

    2. Add the certificate to the profile of idmuser1 using the ipa user-add-cert command:

      $ ipa user-add-cert idmuser1 --certificate=$CERT
    3. Clear the System Security Services Daemon (SSSD) cache.

      # sssctl cache-remove
      SSSD must not be running. Stop SSSD now? (yes/no) [yes] yes
      Creating backup of local data…
      Removing cache files…
      SSSD needs to be running. Start SSSD now? (yes/no) [yes] yes
  4. Run ipa certmap-match again to confirm the user is associated with your smart card certificate.