Настройка 2ФА на рабочих станциях РедОС 7.3.2 в домене Windows

Здравствуйте!
Использую РуТокен lite. Клиентская машине РедОС 7.3.2, сервер Active Directory MS.
Настраивал все согласно инструкциям https://dev.rutoken.ru/pages/viewpage.a … =72450654, https://dev.rutoken.ru/pages/viewpage.a … =57149225.
При попытке аутентификации после запроса пин-кода в домен sssd завершает работу с ошибкой 7 "Сбой при проверке подлинности"
Согласно логам p11_child обнаруживает рутокен и записанные на нём сертификаты.
Ошибка возникает в krb5_child.
Попытка отключить предварительную проверку подлинности kerberos к решению проблемы не привела.
Прилагаю логи с конфигурационными файлами и логами sssd

krb5.conf
includedir /etc/krb5.conf.d/

[logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log

[libdefaults]
    #pkinit_eku_checking = none
    pkinit_eku_checking = kpServerAuth
    default_realm = DC.TEST
    pkinit_identities = /usr/lib64/librtpkcs11ecp.so
    canonicalize = True
   
pkinit_kdc_hostname = WIN-QIUURAQ5IN8.dc.test
    dns_lookup_realm = false  # Отключить поиск kerberos-имени домена через DNS
    dns_lookup_kdc = true  # Включить поиск kerberos-настроек домена через DNS
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    rdns = false
    pkinit_anchors = FILE:/etc/sssd/pki/sssd_auth_ca_db.pem
    spake_preauth_groups = edwards25519
    default_ccache_name = FILE:/tmp/krb5cc_%{uid}
    default_realm = DC.TEST

    canonicalize = True

    default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 RC4-HMAC DES-CBC-CRC DES3-CBC-SHA1 DES-CBC-MD5
    default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 RC4-HMAC DES-CBC-CRC DES3-CBC-SHA1 DES-CBC-MD5
    preferred_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 RC4-HMAC DES-CBC-CRC DES3-CBC-SHA1 DES-CBC-MD5

[realms]
DC.TEST = {
    kdc = WIN-QIUURAQ5IN8.dc.test # Primary Domain Controller
   
    admin_server = WIN-QIUURAQ5IN8.dc.test # Primary Domain Controller
    default_domain = dc.test # Domain name
}

[domain_realm]
.dc.test = DC.TEST
dc.test = DC.TEST


sssd.conf
[sssd]
domains = dc.test
config_file_version = 2
services = nss, pam
debug_level = 10

[domain/dc.test]
krb5_auth_timeout = 120
ad_domain = dc.test
ad_server = WIN-QIUURAQ5IN8.dc.test
krb5_realm = DC.TEST
case_sensitive = False
realmd_tags = manages-system joined-with-samba

# Кэширование аутентификационных данных, необходимо при недоступности домена
cache_credentials = True

pkinit_kdc_hostname = WIN-QIUURAQ5IN8.dc.test
pkinit_eku_checking = none

id_provider = ad
access_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
ad_gpo_access_control = disabled

# Включает/Отключает режим полных имён пользователей при входе
use_fully_qualified_names = False

# Определение домашнего каталога для доменных пользователей
fallback_homedir = /home/%u@%d

# Параметр access_provider = simple Определяет список доступа на основе имен пользователей или групп.
#access_provider = simple
#simple_allow_users = user1@example.com, user2@example.com
#simple_allow_groups = group@example.com

# Включает/Отключает перечисление всех записей домена, операция(id или getent) может занимать длительное время при enumerate = False
enumerate = False

# Параметр ignore_group_members может ускорить авторизацию в домене если домен имеет большое количество пользователей, групп и вложенных OU
# Если установлено значение TRUE, то атрибут членства в группе не запрашивается с сервера ldap и не обрабатывается вызовов поиска группы.
# ignore_group_members = True

# Поиск ссылок может привести к снижению производительности в средах, которые их интенсивно используют.
# true - не рекомендуется для больших инфраструктур. Отключаем этот поиск.
ldap_referrals = false

# Включает/Отключает динамические обновления DNS, если в статусе sssd ошибка "TSIG error with server: tsig verify failure", то установите dyndns_update = false
dyndns_update = true
dyndns_refresh_interval = 43200
dyndns_update_ptr = true
dyndns_ttl = 3600

krb5_lifetime = 24h # Срок действия билета истекает каждые 24ч и его можно непрерывно продлевать в течение 7 дней
krb5_renewable_lifetime = 7d # Самопродление тикета, значение определяет максимальное время жизни тикета
krb5_renew_interval = 60s # Определяет интервал необходимость обновления билета. По истечении половины срока действия билета билет продлевается автоматически.

[nss]
# Сколько секунд nss_sss должен кэшировать перечисления (запросы информации обо всех пользователях) Default: 120
#entry_cache_timeout = 15
# Задает время в секундах, в течение которого список поддоменов будет считаться действительным. Default: 60
#get_domains_timeout = 10
debug_level=10


[pam]
pam_p11_allowed_services = +cinnamon-screensaver, +mate-screensaver, +lightdm
p11_child_timeout = 120
pam_cert_auth = True
debug_level=10

#[certmap/dc.test/nt_principal]
#maprule = (|(userPrincipalName={subject_nt_principal})(samAccountName={subject_nt_principal.short_name}))


krb5_child.log
(2023-05-22 18:08:12): [krb5_child[11266]] [sss_krb5_get_init_creds_password] (0x0020): [RID#67] 1932: [-1765328174][Pre-authentication failed: Cannot read password]
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE:
   *  (2023-05-22 18:08:12): [krb5_child[11266]] [main] (0x0400): [RID#67] krb5_child started.
   *  (2023-05-22 18:08:12): [krb5_child[11266]] [unpack_buffer] (0x1000): [RID#67] total buffer size: [328]
   *  (2023-05-22 18:08:12): [krb5_child[11266]] [unpack_buffer] (0x0100): [RID#67] cmd [249 (pre-auth)] uid [374600500] gid [374600513] validate [true] enterprise principal [true] offline [false] UPN [admin@DC.TEST]
   *  (2023-05-22 18:08:12): [krb5_child[11266]] [unpack_buffer] (0x0100): [RID#67] ccname: [FILE:/tmp/krb5cc_374600500] old_ccname: [FILE:/tmp/krb5cc_374600500] keytab: [not set]
   *  (2023-05-22 18:08:12): [krb5_child[11266]] [check_keytab_name] (0x0400): [RID#67] Missing krb5_keytab option for domain, looking for default one
   *  (2023-05-22 18:08:12): [krb5_child[11266]] [check_keytab_name] (0x0400): [RID#67] krb5_kt_default_name() returned: FILE:/etc/krb5.keytab
   *  (2023-05-22 18:08:12): [krb5_child[11266]] [check_keytab_name] (0x0400): [RID#67] krb5_child will default to: /etc/krb5.keytab
   *  (2023-05-22 18:08:12): [krb5_child[11266]] [check_use_fast] (0x0100): [RID#67] Not using FAST.
   *  (2023-05-22 18:08:12): [krb5_child[11266]] [switch_creds] (0x0200): [RID#67] Switch user to [0][0].
   *  (2023-05-22 18:08:12): [krb5_child[11266]] [switch_creds] (0x0200): [RID#67] Already user [0].
   *  (2023-05-22 18:08:12): [krb5_child[11266]] [main] (0x2000): [RID#67] Running as [0][0].
   *  (2023-05-22 18:08:12): [krb5_child[11266]] [set_lifetime_options] (0x0100): [RID#67] Renewable lifetime is set to [7d # Самопродление тикета, значение определяет максимальное время жизни тикета]
   *  (2023-05-22 18:08:12): [krb5_child[11266]] [set_lifetime_options] (0x0100): [RID#67] Lifetime is set to [24h # Срок действия билета истекает каждые 24ч и его можно непрерывно продлевать в течение 7 дней]
   *  (2023-05-22 18:08:12): [krb5_child[11266]] [set_canonicalize_option] (0x0100): [RID#67] Canonicalization is set to [true]
   *  (2023-05-22 18:08:12): [krb5_child[11266]] [main] (0x0400): [RID#67] Will perform pre-auth
   *  (2023-05-22 18:08:12): [krb5_child[11266]] [tgt_req_child] (0x1000): [RID#67] Attempting to get a TGT
   *  (2023-05-22 18:08:12): [krb5_child[11266]] [get_and_save_tgt] (0x4000): [RID#67] Found Smartcard credentials, trying pkinit.
   *  (2023-05-22 18:08:12): [krb5_child[11266]] [get_pkinit_identity] (0x4000): [RID#67] Got [RuToken][/usr/lib64/librtpkcs11ecp.so].
   *  (2023-05-22 18:08:12): [krb5_child[11266]] [get_pkinit_identity] (0x4000): [RID#67] Using pkinit identity [PKCS11:module_name=/usr/lib64/librtpkcs11ecp.so:token=RuToken:certid=74652D5275546F6B656E2D37393232653939632D636566392D346135652D613539372D3433316362336161353638395F45:certlabel=te-RuToken-7922e99c-cef9-4a5e-a597-431cb3aa5689_E].
   *  (2023-05-22 18:08:12): [krb5_child[11266]] [get_and_save_tgt] (0x0400): [RID#67] Attempting kinit for realm [DC.TEST]
   *  (2023-05-22 18:08:12): [krb5_child[11266]] [sss_krb5_responder] (0x4000): [RID#67] Got question [pkinit].
   *  (2023-05-22 18:08:12): [krb5_child[11266]] [answer_pkinit] (0x4000): [RID#67] [0] Identity [PKCS11:module_name=/usr/lib64/librtpkcs11ecp.so:slotid=1:token=RuToken] flags [0].
   *  (2023-05-22 18:08:12): [krb5_child[11266]] [answer_pkinit] (0x4000): [RID#67] Setting pkinit_prompting.
   *  (2023-05-22 18:08:12): [krb5_child[11266]] [sss_krb5_prompter] (0x4000): [RID#67] sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL.
   *  (2023-05-22 18:08:12): [krb5_child[11266]] [sss_krb5_prompter] (0x4000): [RID#67] Prompt [0][RuToken                          PIN].
   *  (2023-05-22 18:08:12): [krb5_child[11266]] [sss_krb5_prompter] (0x0200): [RID#67] Prompter interface isn't used for password prompts by SSSD.
   *  (2023-05-22 18:08:12): [krb5_child[11266]] [sss_krb5_prompter] (0x4000): [RID#67] sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL.
   *  (2023-05-22 18:08:12): [krb5_child[11266]] [sss_krb5_prompter] (0x4000): [RID#67] Prompt [0][Password for admin\@DC.TEST@DC.TEST].
   *  (2023-05-22 18:08:12): [krb5_child[11266]] [sss_krb5_prompter] (0x0200): [RID#67] Prompter interface isn't used for password prompts by SSSD.
   *  (2023-05-22 18:08:12): [krb5_child[11266]] [sss_krb5_get_init_creds_password] (0x0020): [RID#67] 1932: [-1765328174][Pre-authentication failed: Cannot read password]
********************** BACKTRACE DUMP ENDS HERE *********************************

(2023-05-22 18:08:15): [krb5_child[11269]] [sss_krb5_get_init_creds_password] (0x0020): [RID#68] 1932: [-1765328174][Pre-authentication failed: Preauthentication failed]
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE:
   *  (2023-05-22 18:08:15): [krb5_child[11269]] [main] (0x0400): [RID#68] krb5_child started.
   *  (2023-05-22 18:08:15): [krb5_child[11269]] [unpack_buffer] (0x1000): [RID#68] total buffer size: [336]
   *  (2023-05-22 18:08:15): [krb5_child[11269]] [unpack_buffer] (0x0100): [RID#68] cmd [241 (auth)] uid [374600500] gid [374600513] validate [true] enterprise principal [true] offline [false] UPN [admin@DC.TEST]
   *  (2023-05-22 18:08:15): [krb5_child[11269]] [unpack_buffer] (0x0100): [RID#68] ccname: [FILE:/tmp/krb5cc_374600500] old_ccname: [FILE:/tmp/krb5cc_374600500] keytab: [not set]
   *  (2023-05-22 18:08:15): [krb5_child[11269]] [check_keytab_name] (0x0400): [RID#68] Missing krb5_keytab option for domain, looking for default one
   *  (2023-05-22 18:08:15): [krb5_child[11269]] [check_keytab_name] (0x0400): [RID#68] krb5_kt_default_name() returned: FILE:/etc/krb5.keytab
   *  (2023-05-22 18:08:15): [krb5_child[11269]] [check_keytab_name] (0x0400): [RID#68] krb5_child will default to: /etc/krb5.keytab
   *  (2023-05-22 18:08:15): [krb5_child[11269]] [check_use_fast] (0x0100): [RID#68] Not using FAST.
   *  (2023-05-22 18:08:15): [krb5_child[11269]] [switch_creds] (0x0200): [RID#68] Switch user to [374600500][374600513].
   *  (2023-05-22 18:08:15): [krb5_child[11269]] [switch_creds] (0x0200): [RID#68] Switch user to [0][0].
   *  (2023-05-22 18:08:15): [krb5_child[11269]] [k5c_check_old_ccache] (0x4000): [RID#68] Ccache_file is [FILE:/tmp/krb5cc_374600500] and is not active and TGT is  valid.
   *  (2023-05-22 18:08:15): [krb5_child[11269]] [k5c_precreate_ccache] (0x4000): [RID#68] Recreating ccache
   *  (2023-05-22 18:08:15): [krb5_child[11269]] [switch_creds] (0x0200): [RID#68] Switch user to [0][0].
   *  (2023-05-22 18:08:15): [krb5_child[11269]] [switch_creds] (0x0200): [RID#68] Already user [0].
   *  (2023-05-22 18:08:15): [krb5_child[11269]] [main] (0x2000): [RID#68] Running as [0][0].
   *  (2023-05-22 18:08:15): [krb5_child[11269]] [set_lifetime_options] (0x0100): [RID#68] Renewable lifetime is set to [7d # Самопродление тикета, значение определяет максимальное время жизни тикета]
   *  (2023-05-22 18:08:15): [krb5_child[11269]] [set_lifetime_options] (0x0100): [RID#68] Lifetime is set to [24h # Срок действия билета истекает каждые 24ч и его можно непрерывно продлевать в течение 7 дней]
   *  (2023-05-22 18:08:15): [krb5_child[11269]] [set_canonicalize_option] (0x0100): [RID#68] Canonicalization is set to [true]
   *  (2023-05-22 18:08:15): [krb5_child[11269]] [main] (0x0400): [RID#68] Will perform auth
   *  (2023-05-22 18:08:15): [krb5_child[11269]] [main] (0x0400): [RID#68] Will perform online auth
   *  (2023-05-22 18:08:15): [krb5_child[11269]] [tgt_req_child] (0x1000): [RID#68] Attempting to get a TGT
   *  (2023-05-22 18:08:15): [krb5_child[11269]] [get_and_save_tgt] (0x4000): [RID#68] Found Smartcard credentials, trying pkinit.
   *  (2023-05-22 18:08:15): [krb5_child[11269]] [get_pkinit_identity] (0x4000): [RID#68] Got [RuToken][/usr/lib64/librtpkcs11ecp.so].
   *  (2023-05-22 18:08:15): [krb5_child[11269]] [get_pkinit_identity] (0x4000): [RID#68] Using pkinit identity [PKCS11:module_name=/usr/lib64/librtpkcs11ecp.so:token=RuToken:certid=74652D5275546F6B656E2D37393232653939632D636566392D346135652D613539372D3433316362336161353638395F45:certlabel=te-RuToken-7922e99c-cef9-4a5e-a597-431cb3aa5689_E].
   *  (2023-05-22 18:08:15): [krb5_child[11269]] [get_and_save_tgt] (0x0400): [RID#68] Attempting kinit for realm [DC.TEST]
   *  (2023-05-22 18:08:15): [krb5_child[11269]] [sss_krb5_responder] (0x4000): [RID#68] Got question [pkinit].
   *  (2023-05-22 18:08:15): [krb5_child[11269]] [answer_pkinit] (0x4000): [RID#68] [0] Identity [PKCS11:module_name=/usr/lib64/librtpkcs11ecp.so:slotid=1:token=RuToken] flags [0].
   *  (2023-05-22 18:08:15): [krb5_child[11269]] [answer_pkinit] (0x4000): [RID#68] Setting pkinit_prompting.
   *  (2023-05-22 18:08:15): [krb5_child[11269]] [pkinit_identity_matches] (0x4000): [RID#68] Found [module_name=/usr/lib64/librtpkcs11ecp.so] in identity [PKCS11:module_name=/usr/lib64/librtpkcs11ecp.so:slotid=1:token=RuToken].
   *  (2023-05-22 18:08:15): [krb5_child[11269]] [pkinit_identity_matches] (0x4000): [RID#68] Found [token=RuToken] in identity [PKCS11:module_name=/usr/lib64/librtpkcs11ecp.so:slotid=1:token=RuToken].
   *  (2023-05-22 18:08:15): [krb5_child[11269]] [sss_krb5_prompter] (0x4000): [RID#68] sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL.
   *  (2023-05-22 18:08:15): [krb5_child[11269]] [sss_krb5_prompter] (0x4000): [RID#68] Prompt [0][Password for admin\@DC.TEST@DC.TEST].
   *  (2023-05-22 18:08:15): [krb5_child[11269]] [sss_krb5_prompter] (0x0200): [RID#68] Prompter interface isn't used for password prompts by SSSD.
   *  (2023-05-22 18:08:15): [krb5_child[11269]] [sss_krb5_get_init_creds_password] (0x0020): [RID#68] 1932: [-1765328174][Pre-authentication failed: Preauthentication failed]
********************** BACKTRACE DUMP ENDS HERE *********************************

(2023-05-22 18:08:15): [krb5_child[11269]] [get_and_save_tgt] (0x0020): [RID#68] 2009: [-1765328174][Pre-authentication failed: Preauthentication failed]
(2023-05-22 18:08:15): [krb5_child[11269]] [map_krb5_error] (0x0020): [RID#68] 2138: [-1765328174][Pre-authentication failed: Preauthentication failed]
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE:
   *  (2023-05-22 18:08:15): [krb5_child[11269]] [get_and_save_tgt] (0x0020): [RID#68] 2009: [-1765328174][Pre-authentication failed: Preauthentication failed]
   *  (2023-05-22 18:08:15): [krb5_child[11269]] [map_krb5_error] (0x0020): [RID#68] 2138: [-1765328174][Pre-authentication failed: Preauthentication failed]
********************** BACKTRACE DUMP ENDS HERE *********************************


8:15): [pam] [pam_reply] (0x4000): [CID#12] pam_reply initially called with result [7]: Сбой при проверке подлинности. this result might be changed during processing
(2023-05-22 18:08:15): [pam] [ldb] (0x10000): [CID#12] Added timed event "ldb_kv_callback": 0x55cd735280d0

(2023-05-22 18:08:15): [pam] [ldb] (0x10000): [CID#12] Added timed event "ldb_kv_timeout": 0x55cd734ef5d0

(2023-05-22 18:08:15): [pam] [ldb] (0x10000): [CID#12] Running timer event 0x55cd735280d0 "ldb_kv_callback"

(2023-05-22 18:08:15): [pam] [ldb] (0x10000): [CID#12] Destroying timer event 0x55cd734ef5d0 "ldb_kv_timeout"

(2023-05-22 18:08:15): [pam] [ldb] (0x10000): [CID#12] Destroying timer event 0x55cd735280d0 "ldb_kv_callback"

(2023-05-22 18:08:15): [pam] [pam_reply] (0x0200): [CID#12] blen: 24
(2023-05-22 18:08:15): [pam] [pam_reply] (0x0200): [CID#12] Returning [7]: Сбой при проверке подлинности to the client
(2023-05-22 18:08:15): [pam] [client_recv] (0x0200): [CID#12] Client disconnected!
(2023-05-22 18:08:15): [pam] [client_close_fn] (0x2000): [CID#12] Terminated client [0x55cd734fe1d0][24]
(2023-05-22 18:08:17): [pam] [pam_initgr_cache_remove] (0x2000): [CID#12] [admin] removed from PAM initgroup cache


p11_child.log
(2023-05-22 18:08:11): [p11_child[11263]] [main] (0x0400): [CID#12] p11_child started.
(2023-05-22 18:08:11): [p11_child[11263]] [main] (0x2000): [CID#12] Running in [pre-auth] mode.
(2023-05-22 18:08:11): [p11_child[11263]] [main] (0x2000): [CID#12] Running with effective IDs: [0][0].
(2023-05-22 18:08:11): [p11_child[11263]] [main] (0x2000): [CID#12] Running with real IDs [0][0].
(2023-05-22 18:08:12): [p11_child[11263]] [do_card] (0x4000): [CID#12] Module List:
(2023-05-22 18:08:12): [p11_child[11263]] [do_card] (0x4000): [CID#12] common name: [p11-kit-trust].
(2023-05-22 18:08:12): [p11_child[11263]] [do_card] (0x4000): [CID#12] dll name: [/usr/lib64/pkcs11/p11-kit-trust.so].
(2023-05-22 18:08:12): [p11_child[11263]] [do_card] (0x4000): [CID#12] Description [/etc/pki/ca-trust/source] Manufacturer [PKCS#11 Kit] flags [1] removable [false] token present [true].
(2023-05-22 18:08:12): [p11_child[11263]] [do_card] (0x4000): [CID#12] Description [/usr/share/pki/ca-trust-source] Manufacturer [PKCS#11 Kit] flags [1] removable [false] token present [true].
(2023-05-22 18:08:12): [p11_child[11263]] [do_card] (0x4000): [CID#12] common name: [jcPKCS11].
(2023-05-22 18:08:12): [p11_child[11263]] [do_card] (0x4000): [CID#12] dll name: [/usr/lib64/librtpkcs11ecp.so].
(2023-05-22 18:08:12): [p11_child[11263]] [do_card] (0x4000): [CID#12] Description [SafeNet eToken 5100 [Main Interface] 00 00] Manufacturer [] flags [6] removable [true] token present [false].
(2023-05-22 18:08:12): [p11_child[11263]] [do_card] (0x4000): [CID#12] Description [Aktiv Rutoken lite 01 00] Manufacturer [] flags [7] removable [true] token present [true].
(2023-05-22 18:08:12): [p11_child[11263]] [do_card] (0x4000): [CID#12] Token label [RuToken].
(2023-05-22 18:08:12): [p11_child[11263]] [do_card] (0x4000): [CID#12] Found [RuToken] in slot [Aktiv Rutoken lite 01 00][1] of module [1][/usr/lib64/librtpkcs11ecp.so].
(2023-05-22 18:08:12): [p11_child[11263]] [do_card] (0x4000): [CID#12] Login NOT required.
(2023-05-22 18:08:12): [p11_child[11263]] [read_certs] (0x4000): [CID#12] found cert[{EE76FDC1-C248-4318-B831-DE726CAF1A0D}][/DC=test/DC=dc/CN=dc-WIN-QIUURAQ5IN8-CA]
(2023-05-22 18:08:12): [p11_child[11263]] [do_ocsp] (0x0020): [CID#12] No OCSP URL in certificate and no default responder defined, skipping OCSP check.
(2023-05-22 18:08:12): [p11_child[11263]] [read_certs] (0x4000): [CID#12] found cert[te-RuToken-7922e99c-cef9-4a5e-a597-431cb3aa5689_E][/DC=test/DC=dc/CN=Users/CN=admin]
(2023-05-22 18:08:12): [p11_child[11263]] [do_ocsp] (0x0020): [CID#12] No OCSP URL in certificate and no default responder defined, skipping OCSP check.
(2023-05-22 18:08:12): [p11_child[11263]] [do_card] (0x4000): [CID#12] (null) /usr/lib64/librtpkcs11ecp.so (null) RuToken (null) - no label given- 74652D5275546F6B656E2D37393232653939632D636566392D346135652D613539372D3433316362336161353638395F45.
(2023-05-22 18:08:12): [p11_child[11263]] [do_card] (0x4000): [CID#12] uri: pkcs11:library-description=Rutoken%20ECP%20PKCS%20%2311%20library;library-manufacturer=Aktiv%20Co.;library-version=2.7;slot-description=Aktiv%20Rutoken%20lite%2001%2000;slot-manufacturer=;slot-id=1;model=Rutoken%20lite;manufacturer=Aktiv%20Co.;serial=41937396;token=RuToken;id=%74%65%2D%52%75%54%6F%6B%65%6E%2D%37%39%32%32%65%39%39%63%2D%63%65%66%39%2D%34%61%35%65%2D%61%35%39%37%2D%34%33%31%63%62%33%61%61%35%36%38%39%5F%45;object=te-RuToken-7922e99c-cef9-4a5e-a597-431cb3aa5689_E;type=cert.
(2023-05-22 18:08:12): [p11_child[11263]] [do_card] (0x4000): [CID#12] (null) /usr/lib64/librtpkcs11ecp.so (null) RuToken (null) - no label given- 7B42454642373841412D383941372D344332352D413938432D4643434238344334333636387D.
(2023-05-22 18:08:12): [p11_child[11263]] [do_card] (0x4000): [CID#12] uri: pkcs11:library-description=Rutoken%20ECP%20PKCS%20%2311%20library;library-manufacturer=Aktiv%20Co.;library-version=2.7;slot-description=Aktiv%20Rutoken%20lite%2001%2000;slot-manufacturer=;slot-id=1;model=Rutoken%20lite;manufacturer=Aktiv%20Co.;serial=41937396;token=RuToken;id=%7B%42%45%46%42%37%38%41%41%2D%38%39%41%37%2D%34%43%32%35%2D%41%39%38%43%2D%46%43%43%42%38%34%43%34%33%36%36%38%7D;object=%7BEE76FDC1-C248-4318-B831-DE726CAF1A0D%7D;type=cert.
(2023-05-22 18:08:12): [p11_child[11263]] [do_card] (0x4000): [CID#12] Found certificate has key id [74652D5275546F6B656E2D37393232653939632D636566392D346135652D613539372D3433316362336161353638395F45].
(2023-05-22 18:08:12): [p11_child[11263]] [do_card] (0x4000): [CID#12] Found certificate has key id [7B42454642373841412D383941372D344332352D413938432D4643434238344334333636387D].

Re: Настройка 2ФА на рабочих станциях РедОС 7.3.2 в домене Windows

savel_97, добрый день.
Есть возможность проверить работу на Рутокен ЭЦП?
Рутокен Лайт не полностью поддерживается библиотекой rtpkcs11ecp, с помощью которой работает 2фа в Linux.
Полная инструкция по настройке Рутокен ЭЦП в RedOS доступна по ссылке https://dev.rutoken.ru/pages/viewpage.a … =124125237

(2023-05-23 12:22:24 отредактировано savel_97)

Re: Настройка 2ФА на рабочих станциях РедОС 7.3.2 в домене Windows

К сожалению нет возможности проверить РуТокен ЭЦП так как есть в наличии только РуТокен lite. Необходимо иметь именно РуТокен ЭЦП для 2ФА? РедОС я как тест использовал, еще буду пытаться настроить 2ФА на АЛЬт ОС и Astra Linux

Re: Настройка 2ФА на рабочих станциях РедОС 7.3.2 в домене Windows

savel_97, Рутокен Лайт не подойдет для 2фа в любом Linux.
Необходимо использовать Рутокены ЭЦП 2.0/3.0

Re: Настройка 2ФА на рабочих станциях РедОС 7.3.2 в домене Windows

Понял, благодарю

Re: Настройка 2ФА на рабочих станциях РедОС 7.3.2 в домене Windows

Подскажите пожалуйста, используя Рутокен S, возможно ли настроить 2ФА на линукс системах в домене Windows?

Re: Настройка 2ФА на рабочих станциях РедОС 7.3.2 в домене Windows

savel_97, добрый день.
Нет, для подобной интеграции необходимы устройства семейства Рутокен ЭЦП.

Re: Настройка 2ФА на рабочих станциях РедОС 7.3.2 в домене Windows

savel_97, добрый день, столкнулся с такой же проблемой, только при использовании токенов Jacarta. Подскажите, пожалуйста, смогли ли Вы решить проблему?
Есть некоторые предположения на этот счёт, перекопал кучу зарубежных форумов, но решения пока нет.
в логе /var/log/sssd/sssd_pam.log видно что демон читает токен, видит отпечаток сертификата, но видимо он его не устраивает "Cert found [CERT] doesn't match matching rules and is ignored.
Далее говорится, что так как try_cert_auth (флаг для sssd) установлен, но подходящего серта нет, запрос завершается. Скорее всего поэтому p11_child лог говорит что Login NOT required, а в krb5_child логе ошибка Prompter interface isn't used for password prompts by SSSD.
Я сертификаты для KDC и для пользователя в домене SAMBA выпускал через OPENSSL.
Открыт к обсуждению вопроса и совместному поиску решения.

Re: Настройка 2ФА на рабочих станциях РедОС 7.3.2 в домене Windows

Здравствуйте, marat.israfilov,
По носителю Jacarta вам необходимо обращаться в техническую поддержку компании "Аладдин Р.Д.".