IdM allows to authenticate to an IdM enrolled-host by providing a SmartCard certificate instead of a username/password. The below steps are based on system console authentication but the process is similar when using Gnome desktop login authentication.
When the authentication fails, the issue usually comes from a wrong configuration of the IdM system for SmartCard, or of PKINIT.
Configuration of the IdM host for SmartCard authentication
If the console does not even prompt for the SmartCard PIN, chances are high that the system was not properly configured for SmartCard authentication.
SSSD configuration for smart card
Check that /etc/sssd.conf contains
[pam] pam_cert_auth = True
If you need to update the file, do not forget to restart sssd with
root@ipaclient$ systemctl restart sssd
SmartCard CA must be trusted
Check that the SmartCard CA is trusted in the /etc/pki/nssdb database:
root@ipaclient$ certutil -L -d /etc/pki/nssdb/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI SmartCardCA CT,C,C
If the CA is not present, add it using:
root@ipaclient$ certutil -A -d /etc/pki/nssdb -n SmartCardCA -t CT,C,C -i ca.pem
IdM host PKCS#11 module
Check that the IdM host is properly configured for Smart Cards. The opensc package must be installed, the the SmartCard daemon must be running, and the PKCS#11 module must be loaded
root@ipaclient$ dnf install opensc root@ipaclient$ systemctl start pcscd.service pcscd.socket root@ipaclient$ modutil -dbdir /etc/pki/nssdb -add "OpenSC" -libfile /usr/lib64/opensc-pkcs11.so
Configuration for PKINIT
If the console prompts for the SmartCard PIN but displays
ipaclient login: demosc1 Pin for PIV Card: Login incorrect
it is possible that the authentication fails trying to acquire a Kerberos ticket with PKINIT. In this case, login with username/password to the IdM host and try to manually perform kinit in order to get more information:
root@ipaclient$ kinit -X X509_user_identity='PKCS11:opensc-pkcs11.so' demosc1
If the command outputs the following:
kinit: Pre-authentication failed: Failed to verify own certificate (depth 1): self signed certificate in certificate chain while getting initial credentials
then check the content of /etc/krb5.conf on the IdM host. The realms section must contain a configuration for ipadomain with pkinit_anchors:
[realms] IPADOMAIN.COM = { pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem }
The file defined in pkinit_anchors must exist, be readable and contain the certificate of the CA which signed the SmartCard certificate. If it is not the case, run the following commands on any IPA server:
root@ipaserver$ ipa-cacert-manage install -n SmartCardCA -t CT,C,C -p $DM_PWD ca.pem root@ipaserver$ ipa-certupdate
And run the ipa-certupdate command on all IdM hosts in order to download the certificate.
If the kinit command output the following:
kinit: Certificate mismatch while getting initial credentials
check that the SmartCard certificate is associated to the username provided in the console (see mapping between a SmartCard certificate and an IdM user).
One thought on “Troubleshooting: authentication to the system console or Gnome Desktop Manager of an IdM host with a SmartCard”