So, some background: my organization is moving from RHEL7 using the UI/Coolkey Smartcard setup for autolock on removal and authenticating to the AD. We are in the process of upgrading to RHEL8 in our Secure Area (which means local only connections with zero internet access). This process has been insanely complicated versus RHEL7 and it seems no matter how similar the guides, I just can’t figure it out. Our support plan with RedHat is the one answer/email per 24 hours one (I have no control over this) and has been next to worthless. I am going to detail out what all i’ve done and hopefully someone here can see where I am missing my last keystone.
- On Windows Server 2019:
- Open mmc.exe
- File > Add/Remove Snap-in…
2a. Certificates > “add>” > My User Acount - Trust Root Certificate Authorities
3a. CA > All Tasks > Export
3b. Certificate Export Wizard > Next > DER Encoded Library x.509 (.CER) > name the file “ca_root.cer” > choose the destination > Next > ‘Summary of Details’ > Finish - scp the certificate to my RHEL8 box
- On RHEL8
- openssl x509 -inform der -in ca_root.cer -out ca_root.pem
- dnf install -y samba-common samba-common-tools oddjob-mkhomedir sssd authselect nss-tools ccid pcsc-lite pcsc-lite-devel pcsc-tools opensc gnutls-utils
- mkdir -p /etc/pki/ca-trust/source/anchors
- cp ca_root.pem /etc/pki/ca-trust/source/anchors/
- sudo update-ca-trust
- sudo certutil -A -i /etc/pki/ca-trust/source/anchors/ca_root.pem -n CA_ROOT -t CT,C,C -d /etc/pki/nssdb
- systemctl enable oddjobd.service
- systemctl start oddjobd.service
- touch /etc/sssd/sssd.conf
- chmod 600 touch /etc/sssd/sssd.conf
- chown root:root /etc/sssd/sssd.conf
- vim /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
domains = mydomain.local
services = nss, pam, pac
[domain/MYDOMAIN.LOCAL]
id_provider = ad
auth_provider = ad
chpass_provider = ad
access_provider = ad
cache_credentials = true
[pam]
pam_cert_auth = True
- systemctl enable sssd.service
- systemctl start sssd.service
- vim /etc/krb5.conf
# To opt out of the system crypto-policies configuration of krb5, remove the
# symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
spake_preauth_groups = edwards25519
default_realm = MYDOMAIN.LOCAL
default_ccache_name = KEYRING:persistent:%{uid}
- realm join -U myadminuser MYDOMAIN.LOCAL
- Verify the above sssd and krb5 files are largely unmodified, which each time I test appears to be the case.
- Enable authselect to handle the smartcards:
authselect select sssd with-smartcard with-smartcard-required with-smartcard-lock-on-removal --force
- I am able to use pcsc_scan, pkcs11_listcerts, and pkcs11_inspects to see that my Dell KB813t is recognized along with my smartcard, the certs on the card, and I can login with my pin on my RHEL7 and Windows 10 boxes. However, when I go to the RHEL8 Login Screen it just says:
Please (Re)Insert (Different) Smartcard
I am never able to get it to work unless I SSH in and remove the authselect stuff, login with my username and password, or while SSH’d in I check for /var/log/secure and /var/log/messages which show the same message as well as “unable to authenticate”, but it never asks for my pin like the RHEL7 or Win10 boxes and I’ve tried following guides on RedHat, VMware, scribd, buildingtents, Citrix, beyondtrust, Fedora, Reddit, and I even to lookup how other you’d do it for SUSE or Ubuntu, but no matter what guide I follow I end up at the same dead end. I see so many dead threads or reddit posts asking the same question “how do I setup smart card on RHEL8?” which either ends in “Okay I figured it out!” or they just go dead. Hopefully someone here can help piece the missing puzzle pieces together for me.
Good luck to you. Wish we could be of more help here, but I’m personally unfamiliar, and it looks like most others are here.