[Freeipa-users] Enabling smart card on GDM manually.
Sumit Bose
sbose at redhat.com
Wed Feb 3 21:47:12 UTC 2016
On Wed, Feb 03, 2016 at 01:14:20PM -0600, Michael Rainey (Contractor) wrote:
> Please disregard this message. I discovered the answer after the message
> was sent.
>
> There is a locks file in /etc/dconf/db/distro.d/locks. I edited the
> /etc/dconf/db/distro.d/10-authconfig and rebooted. It is recognizing the
> smartcard now.
Don't switch on the Smartcard support in gdm, if will force gdm to use
pam_krb5 and pam_pkcs11. Just use the default configuration after
running ipa-client-install and add 'pam_cert_auth = True' to the [pam]
section of sssd.conf.
If now a user tries to login via gdm or the console and has a Smartcard
inserted which has a certificate which matches the one in the user entry
on the IPA server SSSD will not ask for a password but for the Smartcard
PIN.
HTH
bye,
Sumit
>
> *Michael Rainey*
> NRL 7320
> Computer Support Group
> Building 1009, Room C156
> Stennis Space Center, MS 39529
> On 02/03/2016 12:52 PM, Michael Rainey (Contractor) wrote:
> >Hello,
> >
> >How does one manually enable smart card login on GDM without using the
> >authconfig command? I've tried using gsettings and dconf-editor. The
> >"enable-smartcard-authentication" seems to locked at false.
> >
> >Sumit suggested to not use authconfig to enable smartcard login, because
> >it tweaks the pam configuration to the point that an IPA client is unable
> >to authenticate using the smartcard.
> >
> >Any suggestions?
> >--
> >*Michael Rainey*
> >NRL 7320
> >Computer Support Group
> >Building 1009, Room C156
> >Stennis Space Center, MS 39529
> >
> >
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list