[Freeipa-users] freeIPA 4.2: Smart Card Issues
Sumit Bose
sbose at redhat.com
Wed Jun 29 07:31:36 UTC 2016
On Tue, Jun 28, 2016 at 04:41:39PM -0500, Michael Rainey (Contractor) wrote:
> Greetings,
>
> Back in March I contacted the mailing list in regard to a problem I was
> having with smartcards and screen locking. At that time I was provided a
> patch to implement to lock the screen when the smartcard was removed and it
> worked well. Today it looks like the patch may have made its way to the
> repo and I am starting to see some issues occuring on my test machines.
> When the smartcard is inserted into the reader a message flashes on the
> screen "That didn't work. Please try again." Also, it doesn't seem to
> prompt for a pin for the smartcard. It just shows the password field.
> Unfortunately, the logs didn't reveal much, I may need to tweak the debug
> level if more information is needed.
yes, it would be good if you can add debug_level=10 to the [pam] section
of sssd.conf and send the sssd_pam.log file after testing.
>
> I grabbed the files from
> https://koji.fedoraproject.org/koji/taskinfo?taskID=13412048
>
> I had to modify the smartcard-auth file to the following:
>
> auth required pam_env.so
> auth sufficient pam_sss.so allow_missing_name
> #auth [success=done ignore=ignore default=die] pam_pkcs11.so nodebug
> wait_for_card
> auth required pam_deny.so
>
> account required pam_unix.so
> account sufficient pam_localuser.so
> account sufficient pam_succeed_if.so uid < 1000 quiet
> account [default=bad success=ok user_unknown=ignore] pam_sss.so
> account required pam_permit.so
>
> #password required pam_pkcs11.so
>
> session optional pam_keyinit.so revoke
> session required pam_limits.so
> -session optional pam_systemd.so
> session [success=1 default=ignore] pam_succeed_if.so service in crond
> quiet use_uid
> session required pam_unix.so
> session optional pam_sss.so
>
> The dconf file /etc/dconf/db/distro.d/10-authconfig
>
> [org/gnome/login-screen]
> enable-fingerprint-authentication=false
>
> and /etc/dconf/db/distro.d/locks/10-authconfig-locks
>
> /org/gnome/login-screen/enable-fingerprint-authentication
The configuration looks ok, I'll try to reproduce the issue locally as
well.
bye,
Sumit
>
> I'm currently running the following:
>
> * Scientific Linux 7.2 64bit
> * 4.2.0-15.sl7_2.17
> * GDM 3.14.2
> * GNOME Shell 3.14.4
>
> Hopefully, I have given you enough information to work the problem. Have
> there been changes to the way freeIPA is configured for smartcard use?
>
> Sincerely,
> --
> *Michael Rainey*
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list