Приветствую!
Альт 8 СП.
Альт заведен в домен Active Directory.
Пользователь может успешно проходить аутентификацию в AD по паролю. при этом он получает тикет.
Настроил аутентификацию по сертификату выданному пользователю Active Directory.
Вход по сертам настроен через модуль pam_pkcs11. Аутентификация проходит успешно, однако тикет пользователь не получает.
control system-auth переключен на sss
Есть ли возможность настроить вход по сертификатам в Active Directory с получением тикета?
Конфиги:
[user@altcert Рабочий стол]$ su - testuser2
DEBUG:pam_config.c:486: Using config file /etc/security/pam_pkcs11/pam_pkcs11.conf
DEBUG:pam_pkcs11.c:572: explicit username = [testuser2]
DEBUG:pam_pkcs11.c:261: loading pkcs #11 module...
DEBUG:pkcs11_lib.c:1038: PKCS #11 module = [/usr/lib64/libjcPKCS11-2.so.2.7.2]
DEBUG:pkcs11_lib.c:1055: module permissions: uid = 0, gid = 0, mode = 755
DEBUG:pkcs11_lib.c:1064: loading module /usr/lib64/libjcPKCS11-2.so.2.7.2
DEBUG:pkcs11_lib.c:1072: getting function list
DEBUG:pam_pkcs11.c:279: initializing pkcs #11 module...
DEBUG:pkcs11_lib.c:1269: module information:
DEBUG:pkcs11_lib.c:1270: - version: 2.30
DEBUG:pkcs11_lib.c:1271: - manufacturer: Aladdin R.D.
DEBUG:pkcs11_lib.c:1272: - flags: 0000
DEBUG:pkcs11_lib.c:1273: - library description: JaCarta PKCS#11 module
DEBUG:pkcs11_lib.c:1274: - library version: 2.4
DEBUG:pkcs11_lib.c:1141: number of slots (a): 32
DEBUG:pkcs11_lib.c:1164: number of slots (b): 32
DEBUG:pkcs11_lib.c:1180: slot 1:
DEBUG:pkcs11_lib.c:1190: - description: Aladdin R.D. JaCarta [Main Interface] 00 00
DEBUG:pkcs11_lib.c:1191: - manufacturer: Aladdin R.D.
DEBUG:pkcs11_lib.c:1192: - flags: 0007
DEBUG:pkcs11_lib.c:1193: - HW version: 01.00
DEBUG:pkcs11_lib.c:1194: - FW version: 01.06
DEBUG:pkcs11_lib.c:1205: - token:
DEBUG:pkcs11_lib.c:1211: - label: PKI-GOST
DEBUG:pkcs11_lib.c:1212: - manufacturer: Aladdin R.D.
DEBUG:pkcs11_lib.c:1213: - model: eToken GOST
DEBUG:pkcs11_lib.c:1214: - serial: 0B53001811156965
DEBUG:pkcs11_lib.c:1215: - flags: 1040d
DEBUG:pkcs11_lib.c:1180: slot 2:
DEBUG:pkcs11_lib.c:1190: - description: Aladdin R.D. JaCarta [Main Interface] 00 00
DEBUG:pkcs11_lib.c:1191: - manufacturer: Aladdin R.D.
DEBUG:pkcs11_lib.c:1192: - flags: 0007
DEBUG:pkcs11_lib.c:1193: - HW version: 01.00
DEBUG:pkcs11_lib.c:1194: - FW version: 01.00
DEBUG:pkcs11_lib.c:1205: - token:
DEBUG:pkcs11_lib.c:1211: - label: JaCarta
DEBUG:pkcs11_lib.c:1212: - manufacturer: Aladdin R.D.
DEBUG:pkcs11_lib.c:1213: - model: JaCarta Laser
DEBUG:pkcs11_lib.c:1214: - serial: 0B53001811156965
DEBUG:pkcs11_lib.c:1215: - flags: 040c
DEBUG:pkcs11_lib.c:1501: opening a new RO PKCS #11 session for slot 2
DEBUG:pkcs11_lib.c:1511: C_OpenSession flags: 0x00000004
DEBUG:pkcs11_lib.c:1776: Saving Certificate #1:
DEBUG:pkcs11_lib.c:1778: - type: 00
DEBUG:pkcs11_lib.c:1779: - id: 7b
DEBUG:pkcs11_lib.c:1811: Found 1 certificates in token
DEBUG:mapper_mgr.c:172: Retrieveing mapper module list
DEBUG:mapper_mgr.c:73: Loading static module for mapper 'subject'
DEBUG:mapper_mgr.c:196: Inserting mapper [subject] into list
DEBUG:lowlevel_mgr.c:196: No use_lowlevel entry found in config
DEBUG:pam_pkcs11.c:724: verifying the certificate #1
DEBUG:cert_vfy.c:425: Neither CA nor CRL check requested. CertVrfy() skipped
DEBUG:mapper_mgr.c:317: Mapper module subject match() returns 1
DEBUG:pam_pkcs11.c:801: certificate is valid and matches the user
Добро пожаловать, JaCarta!
Введите PIN-код токена Токен:
DEBUG:pkcs11_lib.c:1529: login as user CKU_USER
DEBUG:pkcs11_lib.c:160: reading 128 random bytes from /dev/urandom
DEBUG:pkcs11_lib.c:179: random-value[128] = [88:63:dc:...:12]
DEBUG:pkcs11_lib.c:1887: C_GetAttributeValue keytype: 0
DEBUG:pkcs11_lib.c:1939: hash[35] = [...:63:f4:26:...:51]
DEBUG:pkcs11_lib.c:1942: C_SignInit: mech: 1, keytype: 0
DEBUG:pkcs11_lib.c:1974: signature[128] = [a3:e7:e4:...:fb]
DEBUG:pam_pkcs11.c:991: verifying signature...
DEBUG:cert_vfy.c:523: signature is valid
DEBUG:mapper_mgr.c:213: unloading mapper module list
DEBUG:mapper_mgr.c:137: calling mapper_module_end() subject
DEBUG:mapper_mgr.c:148: Module subject is static: don't remove
DEBUG:pkcs11_lib.c:1642: logout user
DEBUG:pkcs11_lib.c:1649: closing the PKCS #11 session
DEBUG:pkcs11_lib.c:1655: releasing keys and certificates
DEBUG:pam_pkcs11.c:1124: releasing pkcs #11 module...
DEBUG:pam_pkcs11.c:1128: authentication succeeded
DEBUG:pam_pkcs11.c:1157: pam_sm_setcred() called
[testuser2@altcert ~]$ klist
klist: Credentials cache keyring 'persistent:40001613:krb_ccache_yMh358H' not found
/etc/sssd/sssd.conf
[domain/PKI.LOCAL]
id_provider = ad
auth_provider = ad
chpass_provider = ad
default_shell = /bin/bash
fallback_homedir = /home/%d/%u
debug_level = 10
/etc/security/pam_pkcs11/pam_pkcs11.conf
use_pkcs11_module = jacarta;
pkcs11_module jacarta {
module = /usr/lib64/libjcPKCS11-2.so.2.7.2
slot_num = 2;
support_threads = true;
ca_dir = /etc/pam_pkcs11/cacerts;
crl_dir = /etc/pam_pkcs11/crls;
cert_policy = signature;
}
/etc/pam.d/system-auth-sss
#%PAM-1.0
auth required pam_env.so
auth [success=done default=bad] pam_tcb.so shadow fork prefix=$2y$ count=8 nullok
auth requisite pam_succeed_if.so uid >= 500 quiet
auth [success=1 ignore=ignore default=die] pam_pkcs11.so debug
auth required pam_sss.so
account [success=ignore default=1] pam_localuser.so
account [success=done default=bad] pam_tcb.so shadow fork
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password [success=ignore default=2] pam_localuser.so
password required pam_passwdqc.so config=/etc/passwdqc.conf
password [success=done default=bad] pam_tcb.so use_authtok shadow fork prefix=$2y$ count=8 nullok write_to=tcb
password requisite pam_succeed_if.so uid >= 500 quiet
password required pam_sss.so
-session optional pam_keyinit.so revoke
-session optional pam_systemd.so
session [success=1 default=ignore] pam_localuser.so
session [success=1 default=1] pam_sss.so
session optional pam_tcb.so
session required pam_mktemp.so
session required pam_mkhomedir.so silent
session required pam_limits.so