[Freeipa-users] FreeIPA smart card how to

Michael Rainey (Contractor) michael.rainey.ctr at nrlssc.navy.mil
Tue Feb 2 19:42:35 UTC 2016 

Okay.  I haven't been able to get around this issue. I can log using my 
username, my card is recognized by GDM and reads the card as expected, 
but I am unable to login using my smartcard.  From what I can see in the 
logs the common name on my card doesn't match the username on my test 
account.

Feb  2 13:00:05 cabildo gdm-smartcard]: pam_krb5[5152]: error resolving 
user name '<SC-CommonName>' to uid/gid pair
Feb  2 13:00:05 cabildo gdm-smartcard]: pam_krb5[5152]: error getting 
information about '<SC-CommonName>
Feb  2 13:00:06 cabildo gdm-smartcard]: pam_unix(gdm-smartcard:account): 
could not identify user (from getpwnam(<SC-CommonName>))
Feb  2 13:00:06 cabildo gdm-smartcard]: pam_sss(gdm-smartcard:account): 
Access denied for user <SC-CommonName>: 10 (User not known to the 
underlying authentication module)
Feb  2 13:00:06 cabildo gdm-smartcard]: pam_krb5[5152]: error resolving 
user name '<SC-CommonName>' to uid/gid pair
Feb  2 13:00:13 cabildo gdm-smartcard]: pam_pkcs11(gdm-smartcard:auth): 
pam_get_pwd() failed: Conversation error

Where do I go from here?

*Michael Rainey*
NRL 7320
Computer Support Group
Building 1009, Room C156
Stennis Space Center, MS 39529
On 02/02/2016 09:56 AM, Martin Kosek wrote:
> On 02/02/2016 04:49 PM, Michael Rainey (Contractor) wrote:
>> Greetings FreeIPA Community,
>>
>> I have been testing and working with the smart card login feature of the IPA
>> server, and have had some successes with this project. However, my latest
>> server/client setup isn't working as expected.  I can where the problem is
>> occurring, which is the Common Name on the Card is not being mapped to the
>> proper attribute on the IPA server. So here's my question: Is there a howto
>> which explains how an where this mapping occurs?  Is this something I can
>> configure myself, or is hard coded.
> At the moment, the Smart Card support present in SSSD looks up the user by
> searching with a blob containing the whole SC certificate. This BTW means that
> the certificate needs to be present at user entry in FreeIPA to make sure it
> matches, no other mapping mechanism is available yet. We have some plans though:
>
> http://www.freeipa.org/page/V4/User_Certificates#Certificate_Identity_Mapping
>
> If you are interested in HOWTOs, Nathan Kinder put together pretty neat blog
> posts how to make Smart Card authentication working:
>
> http://www.freeipa.org/page/V4/User_Certificates#References
>
> HTH,
> Martin

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160202/ddc32023/attachment.htm>

More information about the Freeipa-users mailing list