[Freeipa-users] freeIPA 4.2: Smart Card Issues

Michael Rainey (Contractor) michael.rainey.ctr at nrlssc.navy.mil
Tue Jun 28 21:41:39 UTC 2016 

Greetings,

Back in March I contacted the mailing list in regard to a problem I was 
having with smartcards and screen locking.  At that time I was provided 
a patch to implement to lock the screen when the smartcard was removed 
and it worked well.  Today it looks like the patch may have made its way 
to the repo and I am starting to see some issues occuring on my test 
machines.  When the smartcard is inserted into the reader a message 
flashes on the screen "That didn't work.  Please try again."  Also, it 
doesn't seem to prompt for a pin for the smartcard.  It just shows the 
password field. Unfortunately, the logs didn't reveal much, I may need 
to tweak the debug level if more information is needed.

I grabbed the files from 
https://koji.fedoraproject.org/koji/taskinfo?taskID=13412048

I had to modify the smartcard-auth file to the following:

auth        required      pam_env.so
auth        sufficient    pam_sss.so allow_missing_name
#auth        [success=done ignore=ignore default=die] pam_pkcs11.so 
nodebug wait_for_card
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

#password    required      pam_pkcs11.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in 
crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so

The dconf file /etc/dconf/db/distro.d/10-authconfig

[org/gnome/login-screen]
enable-fingerprint-authentication=false

and /etc/dconf/db/distro.d/locks/10-authconfig-locks

/org/gnome/login-screen/enable-fingerprint-authentication

I'm currently running the following:

  * Scientific Linux 7.2 64bit
  * 4.2.0-15.sl7_2.17
  * GDM 3.14.2
  * GNOME Shell 3.14.4

Hopefully, I have given you enough information to work the problem. Have 
there been changes to the way freeIPA is configured for smartcard use?

Sincerely,
-- 
*Michael Rainey*

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160628/78b8b34e/attachment.htm>

More information about the Freeipa-users mailing list