The solid number of reductions tells me you hit this too close to home for some salty folks here.

1

So, some background: my organization is moving from RHEL7 using the UI/Coolkey Smartcard setup for autolock on removal and authenticating to the AD. We are in the process of upgrading to RHEL8 in our Secure Area (which means local only connections with zero internet access). This process has been insanely complicated versus RHEL7 and it seems no matter how similar the guides, I just can't figure it out. Our support plan with RedHat is the one answer/email per 24 hours one (I have no control over this) and has been next to worthless. I am going to detail out what all i've done and hopefully someone here can see where I am missing my last keystone.

  • On Windows Server 2019:
  1. Open mmc.exe
  2. File > Add/Remove Snap-in...
    2a. Certificates > "add>" > My User Acount
  3. Trust Root Certificate Authorities
    3a. CA > All Tasks > Export
    3b. Certificate Export Wizard > Next > DER Encoded Library x.509 (.CER) > name the file "ca_root.cer" > choose the destination > Next > 'Summary of Details' > Finish
  4. scp the certificate to my RHEL8 box
  • On RHEL8
  1. openssl x509 -inform der -in ca_root.cer -out ca_root.pem
  2. dnf install -y samba-common samba-common-tools oddjob-mkhomedir sssd authselect nss-tools ccid pcsc-lite pcsc-lite-devel pcsc-tools opensc gnutls-utils
  3. mkdir -p /etc/pki/ca-trust/source/anchors
  4. cp ca_root.pem /etc/pki/ca-trust/source/anchors/
  5. sudo update-ca-trust
  6. sudo certutil -A -i /etc/pki/ca-trust/source/anchors/ca_root.pem -n CA_ROOT -t CT,C,C -d /etc/pki/nssdb
  7. systemctl enable oddjobd.service
  8. systemctl start oddjobd.service
  9. touch /etc/sssd/sssd.conf
  10. chmod 600 touch /etc/sssd/sssd.conf
  11. chown root:root /etc/sssd/sssd.conf
  12. vim /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
domains = mydomain.local
services = nss, pam, pac

[domain/MYDOMAIN.LOCAL]
id_provider = ad
auth_provider = ad
chpass_provider = ad
access_provider = ad
cache_credentials = true

[pam]
pam_cert_auth = True

  1. systemctl enable sssd.service
  2. systemctl start sssd.service
  3. vim /etc/krb5.conf
# To opt out of the system crypto-policies configuration of krb5, remove the
# symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.
includedir /etc/krb5.conf.d/

[logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log

[libdefaults]
    dns_lookup_realm = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    rdns = false
    pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
    spake_preauth_groups = edwards25519
    default_realm = MYDOMAIN.LOCAL
    default_ccache_name = KEYRING:persistent:%{uid}

  1. realm join -U myadminuser MYDOMAIN.LOCAL
  2. Verify the above sssd and krb5 files are largely unmodified, which each time I test appears to be the case.
  3. Enable authselect to handle the smartcards:
authselect select sssd  with-smartcard  with-smartcard-required with-smartcard-lock-on-removal --force

  1. I am able to use pcsc_scan, pkcs11_listcerts, and pkcs11_inspects to see that my Dell KB813t is recognized along with my smartcard, the certs on the card, and I can login with my pin on my RHEL7 and Windows 10 boxes. However, when I go to the RHEL8 Login Screen it just says:

Please (Re)Insert (Different) Smartcard

I am never able to get it to work unless I SSH in and remove the authselect stuff, login with my username and password, or while SSH'd in I check for /var/log/secure and /var/log/messages which show the same message as well as "unable to authenticate", but it never asks for my pin like the RHEL7 or Win10 boxes and I've tried following guides on RedHat, VMware, scribd, buildingtents, Citrix, beyondtrust, Fedora, Reddit, and I even to lookup how other you'd do it for SUSE or Ubuntu, but no matter what guide I follow I end up at the same dead end. I see so many dead threads or reddit posts asking the same question "how do I setup smart card on RHEL8?" which either ends in "Okay I figured it out!" or they just go dead. Hopefully someone here can help piece the missing puzzle pieces together for me.

1

So, some background: my organization is moving from RHEL7 using the UI/Coolkey Smartcard setup for autolock on removal and authenticating to the AD. We are in the process of upgrading to RHEL8 in our Secure Area (which means local only connections with zero internet access). This process has been insanely complicated versus RHEL7 and it seems no matter how similar the guides, I just can't figure it out. Our support plan with RedHat is the one answer/email per 24 hours one (I have no control over this) and has been next to worthless. I am going to detail out what all i've done and hopefully someone here can see where I am missing my last keystone.

  • On Windows Server 2019:
  1. Open mmc.exe
  2. File > Add/Remove Snap-in...
    2a. Certificates > "add>" > My User Acount
  3. Trust Root Certificate Authorities
    3a. CA > All Tasks > Export
    3b. Certificate Export Wizard > Next > DER Encoded Library x.509 (.CER) > name the file "ca_root.cer" > choose the destination > Next > 'Summary of Details' > Finish
  4. scp the certificate to my RHEL8 box
  • On RHEL8
  1. openssl x509 -inform der -in ca_root.cer -out ca_root.pem
  2. dnf install -y samba-common samba-common-tools oddjob-mkhomedir sssd authselect nss-tools ccid pcsc-lite pcsc-lite-devel pcsc-tools opensc gnutls-utils
  3. mkdir -p /etc/pki/ca-trust/source/anchors
  4. cp ca_root.pem /etc/pki/ca-trust/source/anchors/
  5. sudo update-ca-trust
  6. sudo certutil -A -i /etc/pki/ca-trust/source/anchors/ca_root.pem -n CA_ROOT -t CT,C,C -d /etc/pki/nssdb
  7. systemctl enable oddjobd.service
  8. systemctl start oddjobd.service
  9. touch /etc/sssd/sssd.conf
  10. chmod 600 touch /etc/sssd/sssd.conf
  11. chown root:root /etc/sssd/sssd.conf
  12. vim /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
domains = mydomain.local
services = nss, pam, pac

[domain/MYDOMAIN.LOCAL]
id_provider = ad
auth_provider = ad
chpass_provider = ad
access_provider = ad
cache_credentials = true

[pam]
pam_cert_auth = True

  1. systemctl enable sssd.service
  2. systemctl start sssd.service
  3. vim /etc/krb5.conf
# To opt out of the system crypto-policies configuration of krb5, remove the
# symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.
includedir /etc/krb5.conf.d/

[logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log

[libdefaults]
    dns_lookup_realm = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    rdns = false
    pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
    spake_preauth_groups = edwards25519
    default_realm = MYDOMAIN.LOCAL
    default_ccache_name = KEYRING:persistent:%{uid}

  1. realm join -U myadminuser MYDOMAIN.LOCAL
  2. Verify the above sssd and krb5 files are largely unmodified, which each time I test appears to be the case.
  3. Enable authselect to handle the smartcards:
authselect select sssd  with-smartcard  with-smartcard-required with-smartcard-lock-on-removal --force

  1. I am able to use pcsc_scan, pkcs11_listcerts, and pkcs11_inspects to see that my Dell KB813t is recognized along with my smartcard, the certs on the card, and I can login with my pin on my RHEL7 and Windows 10 boxes. However, when I go to the RHEL8 Login Screen it just says:

Please (Re)Insert (Different) Smartcard

I am never able to get it to work unless I SSH in and remove the authselect stuff, login with my username and password, or while SSH'd in I check for /var/log/secure and /var/log/messages which show the same message as well as "unable to authenticate", but it never asks for my pin like the RHEL7 or Win10 boxes and I've tried following guides on RedHat, VMware, scribd, buildingtents, Citrix, beyondtrust, Fedora, Reddit, and I even to lookup how other you'd do it for SUSE or Ubuntu, but no matter what guide I follow I end up at the same dead end. I see so many dead threads or reddit posts asking the same question "how do I setup smart card on RHEL8?" which either ends in "Okay I figured it out!" or they just go dead. Hopefully someone here can help piece the missing puzzle pieces together for me.

1

So, some background: my organization is moving from RHEL7 using the UI/Coolkey Smartcard setup for autolock on removal and authenticating to the AD. We are in the process of upgrading to RHEL8 in our Secure Area (which means local only connections with zero internet access). This process has been insanely complicated versus RHEL7 and it seems no matter how similar the guides, I just can't figure it out. Our support plan with RedHat is the one answer/email per 24 hours one (I have no control over this) and has been next to worthless. I am going to detail out what all i've done and hopefully someone here can see where I am missing my last keystone.

  • On Windows Server 2019:
  1. Open mmc.exe
  2. File > Add/Remove Snap-in...
    2a. Certificates > "add>" > My User Acount
  3. Trust Root Certificate Authorities
    3a. CA > All Tasks > Export
    3b. Certificate Export Wizard > Next > DER Encoded Library x.509 (.CER) > name the file "ca_root.cer" > choose the destination > Next > 'Summary of Details' > Finish
  4. scp the certificate to my RHEL8 box
  • On RHEL8
  1. openssl x509 -inform der -in ca_root.cer -out ca_root.pem
  2. dnf install -y samba-common samba-common-tools oddjob-mkhomedir sssd authselect nss-tools ccid pcsc-lite pcsc-lite-devel pcsc-tools opensc gnutls-utils
  3. mkdir -p /etc/pki/ca-trust/source/anchors
  4. cp ca_root.pem /etc/pki/ca-trust/source/anchors/
  5. sudo update-ca-trust
  6. sudo certutil -A -i /etc/pki/ca-trust/source/anchors/ca_root.pem -n CA_ROOT -t CT,C,C -d /etc/pki/nssdb
  7. systemctl enable oddjobd.service
  8. systemctl start oddjobd.service
  9. touch /etc/sssd/sssd.conf
  10. chmod 600 touch /etc/sssd/sssd.conf
  11. chown root:root /etc/sssd/sssd.conf
  12. vim /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
domains = mydomain.local
services = nss, pam, pac

[domain/MYDOMAIN.LOCAL]
id_provider = ad
auth_provider = ad
chpass_provider = ad
access_provider = ad
cache_credentials = true

[pam]
pam_cert_auth = True

  1. systemctl enable sssd.service
  2. systemctl start sssd.service
  3. vim /etc/krb5.conf
# To opt out of the system crypto-policies configuration of krb5, remove the
# symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.
includedir /etc/krb5.conf.d/

[logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log

[libdefaults]
    dns_lookup_realm = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    rdns = false
    pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
    spake_preauth_groups = edwards25519
    default_realm = MYDOMAIN.LOCAL
    default_ccache_name = KEYRING:persistent:%{uid}

  1. realm join -U myadminuser MYDOMAIN.LOCAL
  2. Verify the above sssd and krb5 files are largely unmodified, which each time I test appears to be the case.
  3. Enable authselect to handle the smartcards:
authselect select sssd  with-smartcard  with-smartcard-required with-smartcard-lock-on-removal --force

  1. I am able to use pcsc_scan, pkcs11_listcerts, and pkcs11_inspects to see that my Dell KB813t is recognized along with my smartcard, the certs on the card, and I can login with my pin on my RHEL7 and Windows 10 boxes. However, when I go to the RHEL8 Login Screen it just says:

Please (Re)Insert (Different) Smartcard

I am never able to get it to work unless I SSH in and remove the authselect stuff, login with my username and password, or while SSH'd in I check for /var/log/secure and /var/log/messages which show the same message as well as "unable to authenticate", but it never asks for my pin like the RHEL7 or Win10 boxes and I've tried following guides on RedHat, VMware, scribd, buildingtents, Citrix, beyondtrust, Fedora, Reddit, and I even to lookup how other you'd do it for SUSE or Ubuntu, but no matter what guide I follow I end up at the same dead end. I see so many dead threads or reddit posts asking the same question "how do I setup smart card on RHEL8?" which either ends in "Okay I figured it out!" or they just go dead. Hopefully someone here can help piece the missing puzzle pieces together for me.

I was not aware of the kbin enhancement suite. Very helpful!

AdamantiteAdventurer

joined 1 year ago