Chapter 9. Troubleshooting authentication with smart cards

The following sections describe how to resolve some of the issues you might encounter when setting up smart card authentication.

9.1. Testing smart card access on the system

Follow this procedure to test whether you can access your smart card.

Prerequisites

  • You have installed and configured your IdM Server and client for use with smart cards.
  • You have installed the certutil tool from the nss-tools package.
  • You have the PIN or password for your smart card.

Procedure

  1. Using the lsusb command, verify that the smart card reader is visible to the operating system: 

    $ lsusb
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 001 Device 003: ID 072f:b100 Advanced Card Systems, Ltd ACR39U
Bus 001 Device 002: ID 0627:0001 Adomax Technology Co., Ltd
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub

    For more information about the smart cards and readers tested and supported in RHEL, see Smart Card support in RHEL 8.

  2. Ensure that the pcscd service and socket are enabled and running: 

    $ systemctl status pcscd.service pcscd.socket

● pcscd.service - PC/SC Smart Card Daemon
      Loaded: loaded (/usr/lib/systemd/system/pcscd.service; indirect;
vendor preset: disabled)
      Active: active (running) since Fri 2021-09-24 11:05:04 CEST; 2
weeks 6 days ago
TriggeredBy: ● pcscd.socket
        Docs: man:pcscd(8)
    Main PID: 3772184 (pcscd)
       Tasks: 12 (limit: 38201)
      Memory: 8.2M
         CPU: 1min 8.067s
      CGroup: /system.slice/pcscd.service
              └─3772184 /usr/sbin/pcscd --foreground --auto-exit

● pcscd.socket - PC/SC Smart Card Daemon Activation Socket
      Loaded: loaded (/usr/lib/systemd/system/pcscd.socket; enabled;
vendor preset: enabled)
      Active: active (running) since Fri 2021-09-24 11:05:04 CEST; 2
weeks 6 days ago
    Triggers: ● pcscd.service
      Listen: /run/pcscd/pcscd.comm (Stream)
      CGroup: /system.slice/pcscd.socket

  3. Using the p11-kit list-modules command, display information about the configured smart card and the tokens present on the smart card: 

    $ p11-kit list-modules
p11-kit-trust: p11-kit-trust.so
[...]
opensc: opensc-pkcs11.so
    library-description: OpenSC smartcard framework
    library-manufacturer: OpenSC Project
    library-version: 0.20
    token: MyEID (sctest)
        manufacturer: Aventra Ltd.
        model: PKCS#15
        serial-number: 8185043840990797
        firmware-version: 40.1
        flags:
               rng
               login-required
               user-pin-initialized
               token-initialized

  4. Verify you can access the contents of your smart card: 

    $ pkcs11-tool --list-objects --login
Using slot 0 with a present token (0x0)
Logging in to "MyEID (sctest)".
Please enter User PIN:
Private Key Object; RSA
  label:      Certificate
  ID:         01
  Usage:      sign
  Access:     sensitive
Public Key Object; RSA 2048 bits
  label:      Public Key
  ID:         01
  Usage:      verify
  Access:     none
Certificate Object; type = X.509 cert
  label:      Certificate
  subject:    DN: O=IDM.EXAMPLE.COM, CN=idmuser1
  ID:         01

  5. Display the contents of the certificate on your smart card using the certutil command:

    1. Run the following command to determine the correct name of your certificate: 

      $ certutil -d /etc/pki/nssdb -L -h all

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Enter Password or Pin for "MyEID (sctest)":
Smart Card CA 0f5019a8-7e65-46a1-afe5-8e17c256ae00           CT,C,C
MyEID (sctest):Certificate                                   u,u,u

    2. Display the contents of the certificate on your smart card:

      Note

      Ensure the name of the certificate is an exact match for the output displayed in the previous step, in this example MyEID (sctest):Certificate. 

      $ certutil -d /etc/pki/nssdb -L -n "MyEID (sctest):Certificate"

Enter Password or Pin for "MyEID (sctest)":
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 15 (0xf)
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: "CN=Certificate Authority,O=IDM.EXAMPLE.COM"
        Validity:
            Not Before: Thu Sep 30 14:01:41 2021
            Not After : Sun Oct 01 14:01:41 2023
        Subject: "CN=idmuser1,O=IDM.EXAMPLE.COM"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                    [...]
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name: Certificate Authority Key Identifier
            Key ID:
                e2:27:56:0d:2f:f5:f2:72:ce:de:37:20:44:8f:18:7f:
                2f:56:f9:1a

            Name: Authority Information Access
            Method: PKIX Online Certificate Status Protocol
            Location:
                URI: "http://ipa-ca.idm.example.com/ca/ocsp"

            Name: Certificate Key Usage
            Critical: True
            Usages: Digital Signature
                    Non-Repudiation
                    Key Encipherment
                    Data Encipherment

            Name: Extended Key Usage
                TLS Web Server Authentication Certificate
                TLS Web Client Authentication Certificate

            Name: CRL Distribution Points
            Distribution point:
                URI: "http://ipa-ca.idm.example.com/ipa/crl/MasterCRL.bin"
                CRL issuer:
                    Directory Name: "CN=Certificate Authority,O=ipaca"

            Name: Certificate Subject Key ID
            Data:
                43:23:9f:c1:cf:b1:9f:51:18:be:05:b5:44:dc:e6:ab:
                be:07:1f:36

    Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
    Signature:
        [...]
    Fingerprint (SHA-256):
        6A:F9:64:F7:F2:A2:B5:04:88:27:6E:B8:53:3E:44:3E:F5:75:85:91:34:ED:48:A8:0D:F0:31:5D:7B:C9:E0:EC
    Fingerprint (SHA1):
        B4:9A:59:9F:1C:A8:5D:0E:C1:A2:41:EC:FD:43:E0:80:5F:63:DF:29

    Mozilla-CA-Policy: false (attribute missing)
    Certificate Trust Flags:
        SSL Flags:
            User
        Email Flags:
            User
        Object Signing Flags:
            User

Additional resources

  • See certutil(1) man page.

9.2. Troubleshooting smart card authentication with SSSD

Follow this procedure to troubleshoot authentication with SSSD using smart cards.

Prerequisites

  • You have installed and configured your IdM Server and client for use with smart cards.
  • You have installed the sssd-tools package.
  • You are able to detect your smart card reader and display the contents of your smart card. See Testing smart card access on the system.

Procedure

  1. Verify you can authenticate with your smart card using su: 

    $ su - idmuser1 -c ‘su - idmuser1 -c whoami’
PIN for MyEID (sctest):
idmuser1

    If you are not prompted for the smart card PIN, and either a password prompt or an authorization error are returned, check the SSSD logs. See Troubleshooting authentication with SSSD in IdM for information about logging in SSSD. The following is an example of an authentication failure: 

    $ su - idmuser1 -c ‘su - idmuser1 -c whoami’
PIN for MyEID (sctest):
su: Authentication failure

    If the SSSD logs indicate an issue from the krb5_child, similar to the following, you may have an issue with your CA certificates. To troubleshoot issues with certificates, see Verifying that IdM Kerberos KDC can use Pkinit and that the CA certificates are correctly located. 

    [Pre-authentication failed: Failed to verify own certificate (depth 0): unable to get local issuer certificate: could not load the shared library]

    If the SSSD logs indicate a timeout either from p11_child or krb5_child, you may need to increase the SSSD timeouts and try authenticating again with your smart card. See Increasing SSSD timeouts for details on how to increase the timeouts.

  2. Verify your GDM smart card authentication configuration is correct. A success message for PAM authentication should be returned as shown below: 

    # sssctl user-checks -s gdm-smartcard "idmuser1" -a auth
user: idmuser1
action: auth
service: gdm-smartcard

SSSD nss user lookup result:
 - user name: idmuser1
 - user id: 603200210
 - group id: 603200210
 - gecos: idm user1
 - home directory: /home/idmuser1
 - shell: /bin/sh

SSSD InfoPipe user lookup result:
 - name: idmuser1
 - uidNumber: 603200210
 - gidNumber: 603200210
 - gecos: idm user1
 - homeDirectory: /home/idmuser1
 - loginShell: /bin/sh

testing pam_authenticate

PIN for MyEID (sctest)
pam_authenticate for user [idmuser1]: Success

PAM Environment:
 - PKCS11_LOGIN_TOKEN_NAME=MyEID (sctest)
 - KRB5CCNAME=KCM:

    If an authentication error, similar to the following, is returned, check the SSSD logs to try and determine what is causing the issue. See Troubleshooting authentication with SSSD in IdM for information about logging in SSSD. 

    pam_authenticate for user [idmuser1]: Authentication failure

PAM Environment:
 - no env -

    If PAM authentication continues to fail, clear your cache and run the command again. 

    # sssctl cache-remove
SSSD must not be running. Stop SSSD now? (yes/no) [yes] yes
Creating backup of local data…
Removing cache files…
SSSD needs to be running. Start SSSD now? (yes/no) [yes] yes

9.3. Verifying that IdM Kerberos KDC can use PKINIT and that the CA certificates are correctly located

Follow this procedure to verify that IdM Kerberos KDC can use PKINIT and also describes how to verify your CA certificates are correctly located.

Prerequisites

  • You have installed and configured your IdM Server and client for use with smart cards.
  • You are able to detect your smart card reader and display the contents of your smart card. See Testing smart card access on the system.

Procedure

  1. Run the kinit utility to authenticate as the idmuser1 with the certificate stored on your smart card: 

    $ kinit -X X509_user_identity=PKCS11: idmuser1
MyEID (sctest)                   PIN:
  2. Enter your smart card PIN. If you are not prompted for your PIN, check that you can detect your smart card reader and display the contents of your smart card. See Testing smart card authentication.

  3. If your PIN is accepted and you are then prompted for your password, you might be missing your CA signing certificate.

    1. Verify the CA chain is listed in the default certificate bundle file using openssl commands: 

      $ openssl crl2pkcs7 -nocrl -certfile /var/lib/ipa-client/pki/ca-bundle.pem | openssl pkcs7 -print_certs -noout
subject=O = IDM.EXAMPLE.COM, CN = Certificate Authority

issuer=O = IDM.EXAMPLE.COM, CN = Certificate Authority

    2. Verify the validity of your certificates:

      1. Find the user authentication certificate ID for idmuser1: 

        $ pkcs11-tool --list-objects --login
[...]
Certificate Object; type = X.509 cert
  label:      Certificate
  subject:    DN: O=IDM.EXAMPLE.COM, CN=idmuser1
 ID: 01

      2. Read the user certificate information from the smart card in DER format: 

        $ pkcs11-tool --read-object --id 01 --type cert --output-file cert.der
Using slot 0 with a present token (0x0)

      3. Convert the DER certificate to PEM format: 

        $ openssl x509 -in cert.der -inform DER -out cert.pem -outform PEM

      4. Verify the certificate has valid issuer signatures up to the CA: 

        $ openssl verify -CAfile /var/lib/ipa-client/pki/ca-bundle.pem <path>/cert.pem
cert.pem: OK

  4. If your smart card contains several certificates, kinit might fail to choose the correct certificate for authentication. In this case, you need to specify the certificate ID as an argument to the kinit command using the certid=<ID> option.

    1. Check how many certificates are stored on the smart card and get the certificate ID for the one you are using: 

      $ pkcs11-tool --list-objects --type cert --login
Using slot 0 with a present token (0x0)
Logging in to "MyEID (sctest)".
Please enter User PIN:
Certificate Object; type = X.509 cert
  label:      Certificate
  subject:    DN: O=IDM.EXAMPLE.COM, CN=idmuser1
  ID:         01
Certificate Object; type = X.509 cert
  label:      Second certificate
  subject:    DN: O=IDM.EXAMPLE.COM, CN=ipauser1
  ID:         02

    2. Run kinit with certificate ID 01: 

      $ kinit -X kinit -X X509_user_identity=PKCS11:certid=01 idmuser1
MyEID (sctest)                   PIN:

  5. Run klist to view the contents of the Kerberos credentials cache: 

    $ klist
Ticket cache: KCM:0:11485
Default principal: idmuser1@EXAMPLE.COM

Valid starting       Expires              Service principal
10/04/2021 10:50:04  10/05/2021 10:49:55  krbtgt/EXAMPLE.COM@EXAMPLE.COM

  6. Destroy your active Kerberos tickets once you have finished: 

    $ kdestroy -A

Additional resources

  • See kinit man page.
  • See kdestroy man page.

9.4. Increasing SSSD timeouts

If you are having issues authenticating with a smart card, check the krb5_child.log and the p11_child.log file for timeout entries similar to the following:

krb5_child: Timeout for child [9607] reached…​..consider increasing value of krb5_auth_timeout.

If there is a timeout entry in the log file, try increasing the SSSD timeouts as outlined in this procedure.

Prerequisites

  • You have configured your IdM Server and client for smart card authentication.

Procedure

  1. Open the sssd.conf file on the IdM client: 

    # vim /etc/sssd/sssd.conf

  2. In your domain section, for example [domain/idm.example.com], add the following option: 

    krb5_auth_timeout = 60

  3. In the [pam] section, add the following: 

    p11_child_timeout = 60

  4. Clear the SSSD cache: 

    # sssctl cache-remove
SSSD must not be running. Stop SSSD now? (yes/no) [yes] yes
Creating backup of local data…
Removing cache files…
SSSD needs to be running. Start SSSD now? (yes/no) [yes] yes

Once you have increased the timeouts, try authenticating again using your smart card. See Testing smart card authentication for more details.

9.5. Troubleshooting certificate mapping and matching rules

If you are having issues authenticating with a smart card, check that you have linked your smart card certificate correctly to a user. By default, a certificate is associated with a user when the user entry contains the full certificate as part of the usercertificate attribute. However, if you have defined certificate mapping rules, you may have changed how certificates are associated with users. To troubleshoot certificate mapping and matching rules, refer to the following sections:

Note

If you are using your smart card to authenticate using SSH, you need to add the full certificate to the user entry in Identity Management (IdM). If you are not using your smart card to authenticate using SSH, you can add certificate mapping data using the ipa user-add-certmapdata command.

9.5.1. Checking how the certificates are mapped to users

By default, a certificate is associated with a user when the user entry contains the full certificate as part of the usercertificate attribute. However, if you have defined certificate mapping rules, you may have changed how certificates are associated with users. Follow this procedure to check your certificate mapping rules.

Prerequisites

Procedure

  1. Verify the certificate mapping rules currently configured for IdM: 

    # ipa certmaprule-find
-------------------------------------------
1 Certificate Identity Mapping Rule matched
-------------------------------------------
  Rule name: smartcardrule
  Mapping rule: (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>{subject_dn!nss_x500})
  Matching rule: <ISSUER>CN=Certificate Authority,O=IDM.EXAMPLE.COM
  Enabled: TRUE
----------------------------
Number of entries returned 1
----------------------------

    You can expect to see one of the following mapping rules defined:

    • ipacertmapdata indicates that the IdM user entry certmapdata attribute is used.
    • altSecurityIdentities specifies that Active Directory’s user entry name mapping attribute is used.
    • userCertificate;binary= indicates that the whole certificate in either IdM or AD is used.

    You can define many matching options but some of the typically configured options are as follows:

    • <ISSUER>CN=[…​] specifies the issuer attribute of the certificate being used is checked to make sure it matches this.
    • <SUBJECT>.*,DC=MY,DC=DOMAIN indicates the subject of the certificate is checked.

  2. Enable System Security Services Daemon (SSSD) logging by adding debug_level = 9 to the /etc/sssd/sssd.conf file on the IdM server: 

    [domain/idm.example.com]
...
debug_level = 9

  3. Restart SSSD: 

    # systemctl restart sssd

  4. You should see the following entry in the /var/log/sssd/sssd_idm.example.com.log file if the mapping is read correctly: 

    [be[idm.example.com]] [sdap_setup_certmap] (0x4000): Trying to add rule [smartcardrule][-1][<ISSUER>CN=Certificate Authority,O=IDM.EXAMPLE.COM][(|(userCertificate;binary={cert!bin})(ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>{subject_dn!nss_x500}))].

  5. If your mapping rule contains an invalid syntax, an entry similar to the following can be seen in the log file: 

    [be[idm.example.com]]] [sss_certmap_init] (0x0040): sss_certmap initialized.
[be[idm.example.com]]] [ipa_certmap_parse_results] (0x4000): Trying to add rule [smartcardrule][-1][<ISSUER>CN=Certificate Authority,O=IDM.EXAMPLE.COM][(ipacertmapdata=X509:<I>{issuer_dn!x509}<S>{subject_dn})].
[be[idm.example.com]]] [parse_template] (0x0040): Parse template invalid.
[be[idm.example.com]]] [parse_ldap_mapping_rule] (0x0040): Failed to add template.
[be[idm.example.com]]] [parse_mapping_rule] (0x0040): Failed to parse LDAP mapping rule.
[be[idm.example.com]]] [ipa_certmap_parse_results] (0x0020): sss_certmap_add_rule failed for rule [smartcardrule], skipping. Please check for typos and if rule syntax is supported.
[be[idm.example.com]]] [ipa_subdomains_certmap_done] (0x0040): Unable to parse certmap results [22]: Invalid argument
[be[idm.example.com]]] [ipa_subdomains_refresh_certmap_done] (0x0020): Failed to read certificate mapping rules [22]: Invalid argument

  6. Check your mapping rule syntax. 

    # ipa certmaprule-show smartcardrule
  Rule name: smartcardrule
  Mapping rule: (|(userCertificate;binary={cert!bin})(ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>{subject_dn!nss_x500}))
  Matching rule: <ISSUER>CN=Certificate Authority,O=IDM.EXAMPLE.COM
  Domain name: ipa.test
  Enabled: TRUE

  7. If required, modify your certificate mapping rule: 

    # ipa certmaprule-mod smartcardrule --maprule '(ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>{subject_dn!nss_x500})'

Additional resources

  • See the sss-certmap man page.

9.5.2. Checking the user associated with a smart card certificate

If you are having issues authenticating with a smart card, verify the correct user is associated with your smart card certificate.

Prerequisites

Procedure

  1. Verify the user is associated with your smart card certificate: 

    # ipa certmap-match cert.pem
--------------
1 user matched
--------------
  Domain: IDM.EXAMPLE.COM
  User logins: idmuser1
----------------------------
Number of entries returned 1
----------------------------

    If the user or domain are not correct, check how your certificates are mapped to users. See Checking how the certificates are mapped to users.

  2. Check if the user entry contains the certificate: 

    # ipa user-show idmuser1
  User login: idmuser1
[...]
Certificate:MIIEejCCAuKgAwIBAgIBCzANBgkqhkiG9w0BAQsFADAzMREwDwYDVQQKDAhJUEEuVEVTVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XD

  3. If your user entry does not contain the certificate, add your base-64 encoded certificate to the user entry:

    1. Create an environment variable containing the certificate with the header and footer removed and concatenated into a single line, which is the format expected by the ipa user-add-cert command: 

      $ export CERT=`openssl x509 -outform der -in idmuser1.crt | base64 -w0 -`

      Note that the certificate in the idmuser1.crt file must be in PEM format.

    2. Add the certificate to the profile of idmuser1 using the ipa user-add-cert command: 

      $ ipa user-add-cert idmuser1 --certificate=$CERT

    3. Clear the System Security Services Daemon (SSSD) cache. 

      # sssctl cache-remove
SSSD must not be running. Stop SSSD now? (yes/no) [yes] yes
Creating backup of local data…
Removing cache files…
SSSD needs to be running. Start SSSD now? (yes/no) [yes] yes
  4. Run ipa certmap-match again to confirm the user is associated with your smart card certificate.