How do I configure sssd to authenticate users using a PIV smart card on RHEL7

Solution In Progress - Updated -

Issue

The sssd configuration appears to be attempting to do pkinit however the p11_child.log seems not do have the PIN.

From the krb5_child log:

(Wed Sep  7 14:24:47 2016) [[sssd[krb5_child[21093]]]] [sss_child_krb5_trace_cb] (0x4000): [21093] 1473279887.334159: Processing preauth types: 16, 15, 14, 136, 19, 147, 138, 133, 137
(Wed Sep  7 14:24:47 2016) [[sssd[krb5_child[21093]]]] [sss_child_krb5_trace_cb] (0x4000): [21093] 1473279887.334181: Selected etype info: etype aes256-cts, salt "dce.sandia.govtjwitko", params ""
(Wed Sep  7 14:24:47 2016) [[sssd[krb5_child[21093]]]] [sss_child_krb5_trace_cb] (0x4000): [21093] 1473279887.334190: Received cookie: MIT
(Wed Sep  7 14:24:48 2016) [[sssd[krb5_child[21093]]]] [sss_child_krb5_trace_cb] (0x4000): [21093] 1473279888.116467: Preauth module pkinit (147) (info) returned: 0/Success
(Wed Sep  7 14:24:48 2016) [[sssd[krb5_child[21093]]]] [sss_krb5_prompter] (0x0020): Cannot handle password prompts.
(Wed Sep  7 14:24:48 2016) [[sssd[krb5_child[21093]]]] [sss_child_krb5_trace_cb] (0x4000): [21093] 1473279888.878265: PKINIT client has no configured identity; giving up
(Wed Sep  7 14:24:48 2016) [[sssd[krb5_child[21093]]]] [sss_child_krb5_trace_cb] (0x4000): [21093] 1473279888.878288: Preauth module pkinit (16) (real) returned: -1765328360/Preauthentication failed
(Wed Sep  7 14:24:48 2016) [[sssd[krb5_child[21093]]]] [sss_child_krb5_trace_cb] (0x4000): [21093] 1473279888.878310: PKINIT client has no configured identity; giving up
(Wed Sep  7 14:24:48 2016) [[sssd[krb5_child[21093]]]] [sss_child_krb5_trace_cb] (0x4000): [21093] 1473279888.878318: Preauth module pkinit (14) (real) returned: -1765328360/Preauthentication failed
(Wed Sep  7 14:24:48 2016) [[sssd[krb5_child[21093]]]] [sss_child_krb5_trace_cb] (0x4000): [21093] 1473279888.878329: PKINIT client has no configured identity; giving up
 ~~~

From the p11_child log:
 ~~~
(Wed Sep  7 14:24:38 2016) [[sssd[p11_child[21091]]]] [do_work] (0x4000): Description [SCM Microsystems Inc. SCR35xx v2.0 USB SC Reader [CCID InterfaceUnknown                         ^G] Manufacturer [Unknown                         ^G] flags [7].
(Wed Sep  7 14:24:38 2016) [[sssd[p11_child[21091]]]] [do_work] (0x4000): Found [CoolKey] in slot [SCM Microsystems Inc. SCR35xx v2.0 USB SC Reader [CCID Interface][1] of module [2].
(Wed Sep  7 14:24:38 2016) [[sssd[p11_child[21091]]]] [do_work] (0x4000): Token is NOT friendly.
(Wed Sep  7 14:24:38 2016) [[sssd[p11_child[21091]]]] [do_work] (0x4000): Trying to switch to friendly to read certificate.
(Wed Sep  7 14:24:38 2016) [[sssd[p11_child[21091]]]] [do_work] (0x4000): Login required.
(Wed Sep  7 14:24:38 2016) [[sssd[p11_child[21091]]]] [do_work] (0x0020): Login required but no pin available, continue.
(Wed Sep  7 14:24:38 2016) [[sssd[p11_child[21091]]]] [do_work] (0x4000): found cert[CoolKey:CAC ID Certificate][UID=89001000599522]

Environment

Red Hat Enterprise Linux 7.2

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content