How do I configure sssd to authenticate users using a PIV smart card on RHEL7
Issue
The sssd configuration appears to be attempting to do pkinit however the p11_child.log seems not do have the PIN.
From the krb5_child log:
(Wed Sep 7 14:24:47 2016) [[sssd[krb5_child[21093]]]] [sss_child_krb5_trace_cb] (0x4000): [21093] 1473279887.334159: Processing preauth types: 16, 15, 14, 136, 19, 147, 138, 133, 137
(Wed Sep 7 14:24:47 2016) [[sssd[krb5_child[21093]]]] [sss_child_krb5_trace_cb] (0x4000): [21093] 1473279887.334181: Selected etype info: etype aes256-cts, salt "dce.sandia.govtjwitko", params ""
(Wed Sep 7 14:24:47 2016) [[sssd[krb5_child[21093]]]] [sss_child_krb5_trace_cb] (0x4000): [21093] 1473279887.334190: Received cookie: MIT
(Wed Sep 7 14:24:48 2016) [[sssd[krb5_child[21093]]]] [sss_child_krb5_trace_cb] (0x4000): [21093] 1473279888.116467: Preauth module pkinit (147) (info) returned: 0/Success
(Wed Sep 7 14:24:48 2016) [[sssd[krb5_child[21093]]]] [sss_krb5_prompter] (0x0020): Cannot handle password prompts.
(Wed Sep 7 14:24:48 2016) [[sssd[krb5_child[21093]]]] [sss_child_krb5_trace_cb] (0x4000): [21093] 1473279888.878265: PKINIT client has no configured identity; giving up
(Wed Sep 7 14:24:48 2016) [[sssd[krb5_child[21093]]]] [sss_child_krb5_trace_cb] (0x4000): [21093] 1473279888.878288: Preauth module pkinit (16) (real) returned: -1765328360/Preauthentication failed
(Wed Sep 7 14:24:48 2016) [[sssd[krb5_child[21093]]]] [sss_child_krb5_trace_cb] (0x4000): [21093] 1473279888.878310: PKINIT client has no configured identity; giving up
(Wed Sep 7 14:24:48 2016) [[sssd[krb5_child[21093]]]] [sss_child_krb5_trace_cb] (0x4000): [21093] 1473279888.878318: Preauth module pkinit (14) (real) returned: -1765328360/Preauthentication failed
(Wed Sep 7 14:24:48 2016) [[sssd[krb5_child[21093]]]] [sss_child_krb5_trace_cb] (0x4000): [21093] 1473279888.878329: PKINIT client has no configured identity; giving up
~~~
From the p11_child log:
~~~
(Wed Sep 7 14:24:38 2016) [[sssd[p11_child[21091]]]] [do_work] (0x4000): Description [SCM Microsystems Inc. SCR35xx v2.0 USB SC Reader [CCID InterfaceUnknown ^G] Manufacturer [Unknown ^G] flags [7].
(Wed Sep 7 14:24:38 2016) [[sssd[p11_child[21091]]]] [do_work] (0x4000): Found [CoolKey] in slot [SCM Microsystems Inc. SCR35xx v2.0 USB SC Reader [CCID Interface][1] of module [2].
(Wed Sep 7 14:24:38 2016) [[sssd[p11_child[21091]]]] [do_work] (0x4000): Token is NOT friendly.
(Wed Sep 7 14:24:38 2016) [[sssd[p11_child[21091]]]] [do_work] (0x4000): Trying to switch to friendly to read certificate.
(Wed Sep 7 14:24:38 2016) [[sssd[p11_child[21091]]]] [do_work] (0x4000): Login required.
(Wed Sep 7 14:24:38 2016) [[sssd[p11_child[21091]]]] [do_work] (0x0020): Login required but no pin available, continue.
(Wed Sep 7 14:24:38 2016) [[sssd[p11_child[21091]]]] [do_work] (0x4000): found cert[CoolKey:CAC ID Certificate][UID=89001000599522]
Environment
Red Hat Enterprise Linux 7.2
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
