[Freeipa-users] Migrating NIS host to freeIPA host with smart card
Sumit Bose
sbose at redhat.com
Wed Feb 10 12:35:17 UTC 2016
On Tue, Feb 09, 2016 at 04:54:55PM -0600, Michael Rainey (Contractor) wrote:
> Greetings,
>
> I have a question about migrating a system from NIS to freeIPA. In my
> efforts of setting up a host on freeIPA I would normally use a fresh install
> to setup the system. I'm now at a point where I'm moving existing systems
> from an NIS domain to a freeIPA domain. Is it recommended to perform a
> clean install for every new host added to the domain?
>
> During my testing, I have found running the ipa-client-install command does
> a great job of adding the host to the domain, but when I try to use the
> smart card it is never recognized by gdm. I tried tweaking some of the
> configurations to get GDM to recognize the card with no luck. Is there a
> checklist available that I could follow to make sure everything is
All you have to do after running ipa-client-install is to add
'pam_cert_auth = True' to the [pam] section of sssd.conf. This is not
enabled by default since checking the Smartcard in the reader takes some
time and will slow down authentication.
If new a user tries to login which has his certificates stored in the
user entry on the IPA server and a Smartcard with a certificate in the
reader gdm will not ask for a password but for the Smartcard pin.
HTH
bye,
Sumit
> configured properly? All configurations work when using a username and
> password.
> --
> *Michael Rainey*
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list