[SmartcardServices-Users] CAC login

Yoann Gini yoann.gini at gmail.com
Tue Sep 10 11:10:05 PDT 2013 

Hi John,

Le 10 sept. 2013 à 18:38, John Daly <john.l.daly at navy.mil> a écrit :

> I can get local account logins to work great with pubkey hash.  For one
> afternoon, I could get my test clients to authenticate to the open
> directory, but I couldn't log in because the home folder wouldn't mount, and
> then with no configuration changes, it simply quit working, and I can't get
> any more test machines to work again.

What kind of automount setup do you have? AFP? SMB? NFS?

The key thing is, at the login time, you needs all informations to connect to the mount point as the authenticated user.

For example, if it’s a NFS export, you don’t have to use any credentials to connect to your server, just a accepted IP.

If it’s an AFP or SMB, you have to authenticate as the user to your server. And to do that your computer have to send some credentials to do that. Obviously, you have the username but not the password, so you can’t use SASL scheme for this step.

So, you have to use Kerberos. But before using Kerberos to access to your mount point, you need to be sure that you can actually get a TGT with your smartcard. And here, it start to be somehow tricky…

The simple way to test your Kerberos setup with SmartCard is to use kinit in command line, if you check the man page you can read that :

       -X attribute[=value]
              specify a pre-authentication  attribute  and  value  to  be  interpreted  by
              pre-authentication  modules.  The acceptable attribute and value values vary
              from module to module.  This option may be specified multiple times to spec-
              ify  multiple  attributes.   If  no  value is specified, it is assumed to be
              "yes".

              The following attributes are recognized  by  the  PKINIT  pre-authentication
              mechanism:

              X509_user_identity=value
                     specify where to find user's X509 identity information

              X509_anchors=value
                     specify where to find trusted X509 anchor information

              flag_RSA_PROTOCOL[=yes]
                     specify use of RSA, rather than the default Diffie-Hellman protocol

So, your server have to be PKINIT compatible… Can you check that?

If it is, you can read common heimdal PKINIT article to be able to obtain a TGT with kinit and your smart card.

For information, I’ve never try that. I will try to take some time to do it…

Best regards,
Yoann Gini

More information about the SmartcardServices-Users mailing list