我尝试在 Samba4 域 (Samba AD) 中实现智能卡身份验证。目前我有两个域控制器 (CentOS)、一个文件服务器和多个客户端 (CentOS 和 Windows)。关于智能卡,我有一个“Téo by Xiring”读卡器和一个“Gemalto IDPrime 510 (.Net V3)”卡。我也有适当的驱动程序,我可以在 Windows 上使用智能卡进行身份验证,但在 CentOS 上无法实现。
CentOS 似乎识别了智能卡读卡器和卡(在 lsusb -v 中显示,插入卡会启动“智能卡管理器”,但会提示证书未知且卡未格式化)。但是使用模块libgtop11dotnet我可以使用 pkcs11-tool 读取证书,甚至可以使用相应的 PIN 进行连接(但我必须指定模块)。尽管如此,我还是无法使用智能卡登录 CentOS。即使强制使用智能卡登录,也没有任何反应。是否需要对 pam_pkcs11 或 Kerberos 进行特殊修改以指定使用哪个模块或将用户证书与域用户链接起来?
所有命令如:opensc-tool -n、pklogin_finder debug、pkcs11_inspect debug 和 pkcs11_listcerts debug 都会返回错误。
命令:
[MYDOMAIN\administrator@Client1 ~]$ pkcs11-tool --module=/usr/local/lib/libgtop11dotnet.so -l -O
Using slot 0 with a present token (0x0)
Logging in to ".NET #514CA4DC28D2DF4D".
Please enter User PIN:
Certificate Object; type = X.509 cert
label: a1b062f9-7bfd-af90-3d7e-61cfd2105a0a
ID: a1b062f97bfdaf903d7e61cfd2105a0a145fec47
Public Key Object; RSA 2048 bits
label: a1b062f9-7bfd-af90-3d7e-61cfd2105a0a
ID: a1b062f97bfdaf903d7e61cfd2105a0a145fec47
Usage: encrypt, verify
Private Key Object; RSA
label: a1b062f9-7bfd-af90-3d7e-61cfd2105a0a
ID: a1b062f97bfdaf903d7e61cfd2105a0a145fec47
Usage: decrypt, sign
[MYDOMAIN\administrator@Client1 ~]$ modutil -list -dbdir /etc/pki/nssdb
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
slots: 2 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
2. libgtop11dotnet
library name: /usr/local/lib/libgtop11dotnet.so
slots: 5 slots attached
status: loaded
slot: XIRING Teo 00 00
token: .NET #514CA4DC28D2DF4D
slot: empty
token:
slot: empty
token:
slot: empty
token:
slot: empty
token:
-----------------------------------------------------------
[MYDOMAIN\administrator@Client1 ~]$ opensc-tool -l
# Detected readers (pcsc)
Nr. Card Features Name
0 Yes XIRING Teo 00 00
[MYDOMAIN\administrator@Client1 ~]$ pcsc_scan
PC/SC device scanner
V 1.4.25 (c) 2001-2011, Ludovic Rousseau <[email protected]>
Compiled with PC/SC lite version: 1.8.8
Using reader plug'n play mechanism
Scanning present readers...
0: XIRING Teo 00 00
Tue Sep 25 07:18:18 2018
Reader 0: XIRING Teo 00 00
Card state: Card inserted, Shared Mode,
ATR: 3B 16 96 41 73 74 72 69 64
ATR: 3B 16 96 41 73 74 72 69 64
+ TS = 3B --> Direct Convention
+ T0 = 16, Y(1): 0001, K: 6 (historical bytes)
TA(1) = 96 --> Fi=512, Di=32, 16 cycles/ETU
250000 bits/s at 4 MHz, fMax for Fi = 5 MHz => 312500 bits/s
+ Historical bytes: 41 73 74 72 69 64
Category indicator byte: 41 (proprietary format)
Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
3B 16 96 41 73 74 72 69 64
Gemalto .NET v2.0
[MYDOMAIN\administrator@Client1 ~]$ opensc-tool -n
Using reader with a card: XIRING Teo 00 00
Unsupported card
[MYDOMAIN\administrator@Client1 ~]$ pkcs11_listcerts debug
DEBUG:pam_config.c:238: Using config file /etc/pam_pkcs11/pam_pkcs11.conf
DEBUG:pkcs11_lib.c:182: Initializing NSS ...
DEBUG:pkcs11_lib.c:192: Initializing NSS ... database=/etc/pki/nssdb
DEBUG:pkcs11_lib.c:210: ... NSS Complete
DEBUG:pkcs11_listcerts.c:69: loading pkcs #11 module...
DEBUG:pkcs11_lib.c:235: Looking up module in list
DEBUG:pkcs11_lib.c:238: modList = 0x21a49c0 next = 0x21bf3c0
DEBUG:pkcs11_lib.c:239: dllName= <null>
DEBUG:pkcs11_lib.c:238: modList = 0x21bf3c0 next = 0x0
DEBUG:pkcs11_lib.c:239: dllName= libgtop11dotnet.so
DEBUG:pkcs11_listcerts.c:77: initialising pkcs #11 module...
DEBUG:pkcs11_listcerts.c:94: no token available
提前致谢。