Автор Тема: Аутентификация по сертификату в AD  (Прочитано 458 раз)

Оффлайн vanchen

  • Начинающий
  • *
  • Сообщений: 1
Приветствую!

Альт 8 СП.
Альт заведен в домен Active Directory.
Пользователь может успешно проходить аутентификацию в AD по паролю. при этом он получает тикет.
Настроил аутентификацию по сертификату выданному пользователю Active Directory.
Вход по сертам настроен через модуль pam_pkcs11. Аутентификация проходит успешно, однако тикет пользователь не получает.
control system-auth переключен на sss

Есть ли возможность настроить вход по сертификатам в Active Directory с получением тикета?

Конфиги:

[user@altcert Рабочий стол]$ su - testuser2
DEBUG:pam_config.c:486: Using config file /etc/security/pam_pkcs11/pam_pkcs11.conf
DEBUG:pam_pkcs11.c:572: explicit username = [testuser2]
DEBUG:pam_pkcs11.c:261: loading pkcs #11 module...
DEBUG:pkcs11_lib.c:1038: PKCS #11 module = [/usr/lib64/libjcPKCS11-2.so.2.7.2]
DEBUG:pkcs11_lib.c:1055: module permissions: uid = 0, gid = 0, mode = 755
DEBUG:pkcs11_lib.c:1064: loading module /usr/lib64/libjcPKCS11-2.so.2.7.2
DEBUG:pkcs11_lib.c:1072: getting function list
DEBUG:pam_pkcs11.c:279: initializing pkcs #11 module...
DEBUG:pkcs11_lib.c:1269: module information:
DEBUG:pkcs11_lib.c:1270: - version: 2.30
DEBUG:pkcs11_lib.c:1271: - manufacturer: Aladdin R.D.                   
DEBUG:pkcs11_lib.c:1272: - flags: 0000
DEBUG:pkcs11_lib.c:1273: - library description: JaCarta PKCS#11 module         
DEBUG:pkcs11_lib.c:1274: - library version: 2.4
DEBUG:pkcs11_lib.c:1141: number of slots (a): 32
DEBUG:pkcs11_lib.c:1164: number of slots (b): 32
DEBUG:pkcs11_lib.c:1180: slot 1:
DEBUG:pkcs11_lib.c:1190: - description: Aladdin R.D. JaCarta [Main Interface] 00 00                     
DEBUG:pkcs11_lib.c:1191: - manufacturer: Aladdin R.D.                   
DEBUG:pkcs11_lib.c:1192: - flags: 0007
DEBUG:pkcs11_lib.c:1193: - HW version: 01.00
DEBUG:pkcs11_lib.c:1194: - FW version: 01.06
DEBUG:pkcs11_lib.c:1205: - token:
DEBUG:pkcs11_lib.c:1211:   - label: PKI-GOST                       
DEBUG:pkcs11_lib.c:1212:   - manufacturer: Aladdin R.D.                   
DEBUG:pkcs11_lib.c:1213:   - model: eToken GOST     
DEBUG:pkcs11_lib.c:1214:   - serial: 0B53001811156965
DEBUG:pkcs11_lib.c:1215:   - flags: 1040d
DEBUG:pkcs11_lib.c:1180: slot 2:
DEBUG:pkcs11_lib.c:1190: - description: Aladdin R.D. JaCarta [Main Interface] 00 00                     
DEBUG:pkcs11_lib.c:1191: - manufacturer: Aladdin R.D.                   
DEBUG:pkcs11_lib.c:1192: - flags: 0007
DEBUG:pkcs11_lib.c:1193: - HW version: 01.00
DEBUG:pkcs11_lib.c:1194: - FW version: 01.00
DEBUG:pkcs11_lib.c:1205: - token:
DEBUG:pkcs11_lib.c:1211:   - label: JaCarta                         
DEBUG:pkcs11_lib.c:1212:   - manufacturer: Aladdin R.D.                   
DEBUG:pkcs11_lib.c:1213:   - model: JaCarta Laser   
DEBUG:pkcs11_lib.c:1214:   - serial: 0B53001811156965
DEBUG:pkcs11_lib.c:1215:   - flags: 040c
DEBUG:pkcs11_lib.c:1501: opening a new RO PKCS #11 session for slot 2
DEBUG:pkcs11_lib.c:1511: C_OpenSession flags: 0x00000004
DEBUG:pkcs11_lib.c:1776: Saving Certificate #1:
DEBUG:pkcs11_lib.c:1778: - type: 00
DEBUG:pkcs11_lib.c:1779: - id:   7b
DEBUG:pkcs11_lib.c:1811: Found 1 certificates in token
DEBUG:mapper_mgr.c:172: Retrieveing mapper module list
DEBUG:mapper_mgr.c:73: Loading static module for mapper 'subject'
DEBUG:mapper_mgr.c:196: Inserting mapper [subject] into list
DEBUG:lowlevel_mgr.c:196: No use_lowlevel entry found in config
DEBUG:pam_pkcs11.c:724: verifying the certificate #1
DEBUG:cert_vfy.c:425: Neither CA nor CRL check requested. CertVrfy() skipped
DEBUG:mapper_mgr.c:317: Mapper module subject match() returns 1
DEBUG:pam_pkcs11.c:801: certificate is valid and matches the user
Добро пожаловать, JaCarta!
Введите PIN-код токена Токен:
DEBUG:pkcs11_lib.c:1529: login as user CKU_USER
DEBUG:pkcs11_lib.c:160: reading 128 random bytes from /dev/urandom
DEBUG:pkcs11_lib.c:179: random-value[128] = [88:63:dc:...:12]
DEBUG:pkcs11_lib.c:1887: C_GetAttributeValue keytype: 0
DEBUG:pkcs11_lib.c:1939: hash[35] = [...:63:f4:26:...:51]
DEBUG:pkcs11_lib.c:1942: C_SignInit: mech: 1, keytype: 0
DEBUG:pkcs11_lib.c:1974: signature[128] = [a3:e7:e4:...:fb]
DEBUG:pam_pkcs11.c:991: verifying signature...
DEBUG:cert_vfy.c:523: signature is valid
DEBUG:mapper_mgr.c:213: unloading mapper module list
DEBUG:mapper_mgr.c:137: calling mapper_module_end() subject
DEBUG:mapper_mgr.c:148: Module subject is static: don't remove
DEBUG:pkcs11_lib.c:1642: logout user
DEBUG:pkcs11_lib.c:1649: closing the PKCS #11 session
DEBUG:pkcs11_lib.c:1655: releasing keys and certificates
DEBUG:pam_pkcs11.c:1124: releasing pkcs #11 module...
DEBUG:pam_pkcs11.c:1128: authentication succeeded
DEBUG:pam_pkcs11.c:1157: pam_sm_setcred() called
[testuser2@altcert ~]$ klist
klist: Credentials cache keyring 'persistent:40001613:krb_ccache_yMh358H' not found

/etc/sssd/sssd.conf

[domain/PKI.LOCAL]
id_provider = ad
auth_provider = ad
chpass_provider = ad
default_shell = /bin/bash
fallback_homedir = /home/%d/%u
debug_level = 10


/etc/security/pam_pkcs11/pam_pkcs11.conf

use_pkcs11_module = jacarta;
   
pkcs11_module jacarta {
    module = /usr/lib64/libjcPKCS11-2.so.2.7.2
    slot_num = 2;
    support_threads = true;
    ca_dir = /etc/pam_pkcs11/cacerts;
    crl_dir = /etc/pam_pkcs11/crls;
    cert_policy = signature;
  }


/etc/pam.d/system-auth-sss

#%PAM-1.0
auth      required   pam_env.so
auth      [success=done default=bad]   pam_tcb.so shadow fork prefix=$2y$ count=8 nullok
auth      requisite   pam_succeed_if.so uid >= 500 quiet
auth        [success=1 ignore=ignore default=die] pam_pkcs11.so debug
auth      required   pam_sss.so

account      [success=ignore default=1]   pam_localuser.so
account      [success=done default=bad]   pam_tcb.so shadow fork
account      sufficient   pam_succeed_if.so uid < 500 quiet
account      [default=bad success=ok user_unknown=ignore]   pam_sss.so
account      required   pam_permit.so

password   [success=ignore default=2]   pam_localuser.so
password   required   pam_passwdqc.so config=/etc/passwdqc.conf
password   [success=done default=bad]   pam_tcb.so use_authtok shadow fork prefix=$2y$ count=8 nullok write_to=tcb
password   requisite   pam_succeed_if.so uid >= 500 quiet
password   required   pam_sss.so

-session   optional   pam_keyinit.so revoke
-session   optional   pam_systemd.so
session      [success=1 default=ignore]   pam_localuser.so
session      [success=1 default=1]   pam_sss.so
session      optional   pam_tcb.so
session      required   pam_mktemp.so
session      required   pam_mkhomedir.so silent
session      required   pam_limits.so