How do I configure sssd to authenticate users using a PIV smart card on RHEL7

Solution In Progress - Updated -

Issue

The sssd configuration appears to be attempting to do pkinit however the p11_child.log seems not do have the PIN.

From the krb5_child log:

(Wed Sep  7 14:24:47 2016) [[sssd[krb5_child[21093]]]] [sss_child_krb5_trace_cb] (0x4000): [21093] 1473279887.334159: Processing preauth types: 16, 15, 14, 136, 19, 147, 138, 133, 137
(Wed Sep  7 14:24:47 2016) [[sssd[krb5_child[21093]]]] [sss_child_krb5_trace_cb] (0x4000): [21093] 1473279887.334181: Selected etype info: etype aes256-cts, salt "dce.sandia.govtjwitko", params ""
(Wed Sep  7 14:24:47 2016) [[sssd[krb5_child[21093]]]] [sss_child_krb5_trace_cb] (0x4000): [21093] 1473279887.334190: Received cookie: MIT
(Wed Sep  7 14:24:48 2016) [[sssd[krb5_child[21093]]]] [sss_child_krb5_trace_cb] (0x4000): [21093] 1473279888.116467: Preauth module pkinit (147) (info) returned: 0/Success
(Wed Sep  7 14:24:48 2016) [[sssd[krb5_child[21093]]]] [sss_krb5_prompter] (0x0020): Cannot handle password prompts.
(Wed Sep  7 14:24:48 2016) [[sssd[krb5_child[21093]]]] [sss_child_krb5_trace_cb] (0x4000): [21093] 1473279888.878265: PKINIT client has no configured identity; giving up
(Wed Sep  7 14:24:48 2016) [[sssd[krb5_child[21093]]]] [sss_child_krb5_trace_cb] (0x4000): [21093] 1473279888.878288: Preauth module pkinit (16) (real) returned: -1765328360/Preauthentication failed
(Wed Sep  7 14:24:48 2016) [[sssd[krb5_child[21093]]]] [sss_child_krb5_trace_cb] (0x4000): [21093] 1473279888.878310: PKINIT client has no configured identity; giving up
(Wed Sep  7 14:24:48 2016) [[sssd[krb5_child[21093]]]] [sss_child_krb5_trace_cb] (0x4000): [21093] 1473279888.878318: Preauth module pkinit (14) (real) returned: -1765328360/Preauthentication failed
(Wed Sep  7 14:24:48 2016) [[sssd[krb5_child[21093]]]] [sss_child_krb5_trace_cb] (0x4000): [21093] 1473279888.878329: PKINIT client has no configured identity; giving up
 ~~~

From the p11_child log:
 ~~~
(Wed Sep  7 14:24:38 2016) [[sssd[p11_child[21091]]]] [do_work] (0x4000): Description [SCM Microsystems Inc. SCR35xx v2.0 USB SC Reader [CCID InterfaceUnknown                         ^G] Manufacturer [Unknown                         ^G] flags [7].
(Wed Sep  7 14:24:38 2016) [[sssd[p11_child[21091]]]] [do_work] (0x4000): Found [CoolKey] in slot [SCM Microsystems Inc. SCR35xx v2.0 USB SC Reader [CCID Interface][1] of module [2].
(Wed Sep  7 14:24:38 2016) [[sssd[p11_child[21091]]]] [do_work] (0x4000): Token is NOT friendly.
(Wed Sep  7 14:24:38 2016) [[sssd[p11_child[21091]]]] [do_work] (0x4000): Trying to switch to friendly to read certificate.
(Wed Sep  7 14:24:38 2016) [[sssd[p11_child[21091]]]] [do_work] (0x4000): Login required.
(Wed Sep  7 14:24:38 2016) [[sssd[p11_child[21091]]]] [do_work] (0x0020): Login required but no pin available, continue.
(Wed Sep  7 14:24:38 2016) [[sssd[p11_child[21091]]]] [do_work] (0x4000): found cert[CoolKey:CAC ID Certificate][UID=89001000599522]

Environment

Red Hat Enterprise Linux 7.2

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In