[Freeipa-users] FreeIPA smart card how to

Sumit Bose sbose at redhat.com
Tue Feb 2 21:38:07 UTC 2016 

On Tue, Feb 02, 2016 at 01:42:35PM -0600, Michael Rainey (Contractor) wrote:
> Okay.  I haven't been able to get around this issue. I can log using my
> username, my card is recognized by GDM and reads the card as expected, but I
> am unable to login using my smartcard.  From what I can see in the logs the
> common name on my card doesn't match the username on my test account.
> 
> Feb  2 13:00:05 cabildo gdm-smartcard]: pam_krb5[5152]: error resolving user
> name '<SC-CommonName>' to uid/gid pair
> Feb  2 13:00:05 cabildo gdm-smartcard]: pam_krb5[5152]: error getting
> information about '<SC-CommonName>
> Feb  2 13:00:06 cabildo gdm-smartcard]: pam_unix(gdm-smartcard:account):
> could not identify user (from getpwnam(<SC-CommonName>))
> Feb  2 13:00:06 cabildo gdm-smartcard]: pam_sss(gdm-smartcard:account):
> Access denied for user <SC-CommonName>: 10 (User not known to the underlying
> authentication module)
> Feb  2 13:00:06 cabildo gdm-smartcard]: pam_krb5[5152]: error resolving user
> name '<SC-CommonName>' to uid/gid pair
> Feb  2 13:00:13 cabildo gdm-smartcard]: pam_pkcs11(gdm-smartcard:auth):
> pam_get_pwd() failed: Conversation error

Your pam configuration is wrong. I assume you used authconfig with the
--enablesmartcard option. This will enable the "classical" Smartcard
authentication scheme with pam_pkcs11 and pam_krb which out of the box
won't work with FreeIPA.

Please try to roll-back to a default PAM configuration with the
--disablesmartcard option. After that gdm will hopefully use
gdm-password instead of gdm-smartcard and let SSSD do the rest.

HTH

bye,
Sumit

> 
> Where do I go from here?
> 
> *Michael Rainey*
> NRL 7320
> Computer Support Group
> Building 1009, Room C156
> Stennis Space Center, MS 39529
> On 02/02/2016 09:56 AM, Martin Kosek wrote:
> >On 02/02/2016 04:49 PM, Michael Rainey (Contractor) wrote:
> >>Greetings FreeIPA Community,
> >>
> >>I have been testing and working with the smart card login feature of the IPA
> >>server, and have had some successes with this project. However, my latest
> >>server/client setup isn't working as expected.  I can where the problem is
> >>occurring, which is the Common Name on the Card is not being mapped to the
> >>proper attribute on the IPA server. So here's my question: Is there a howto
> >>which explains how an where this mapping occurs?  Is this something I can
> >>configure myself, or is hard coded.
> >At the moment, the Smart Card support present in SSSD looks up the user by
> >searching with a blob containing the whole SC certificate. This BTW means that
> >the certificate needs to be present at user entry in FreeIPA to make sure it
> >matches, no other mapping mechanism is available yet. We have some plans though:
> >
> >http://www.freeipa.org/page/V4/User_Certificates#Certificate_Identity_Mapping
> >
> >If you are interested in HOWTOs, Nathan Kinder put together pretty neat blog
> >posts how to make Smart Card authentication working:
> >
> >http://www.freeipa.org/page/V4/User_Certificates#References
> >
> >HTH,
> >Martin
> 

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list