[Freeipa-users] freeIPA 4.2: Smart Card Issues

Sumit Bose sbose at redhat.com
Wed Jun 29 07:31:36 UTC 2016 

On Tue, Jun 28, 2016 at 04:41:39PM -0500, Michael Rainey (Contractor) wrote:
> Greetings,
> 
> Back in March I contacted the mailing list in regard to a problem I was
> having with smartcards and screen locking.  At that time I was provided a
> patch to implement to lock the screen when the smartcard was removed and it
> worked well.  Today it looks like the patch may have made its way to the
> repo and I am starting to see some issues occuring on my test machines.
> When the smartcard is inserted into the reader a message flashes on the
> screen "That didn't work.  Please try again."  Also, it doesn't seem to
> prompt for a pin for the smartcard.  It just shows the password field.
> Unfortunately, the logs didn't reveal much, I may need to tweak the debug
> level if more information is needed.

yes, it would be good if you can add debug_level=10 to the [pam] section
of sssd.conf and send the sssd_pam.log file after testing.

> 
> I grabbed the files from
> https://koji.fedoraproject.org/koji/taskinfo?taskID=13412048
> 
> I had to modify the smartcard-auth file to the following:
> 
> auth        required      pam_env.so
> auth        sufficient    pam_sss.so allow_missing_name
> #auth        [success=done ignore=ignore default=die] pam_pkcs11.so nodebug
> wait_for_card
> auth        required      pam_deny.so
> 
> account     required      pam_unix.so
> account     sufficient    pam_localuser.so
> account     sufficient    pam_succeed_if.so uid < 1000 quiet
> account     [default=bad success=ok user_unknown=ignore] pam_sss.so
> account     required      pam_permit.so
> 
> #password    required      pam_pkcs11.so
> 
> session     optional      pam_keyinit.so revoke
> session     required      pam_limits.so
> -session     optional      pam_systemd.so
> session     [success=1 default=ignore] pam_succeed_if.so service in crond
> quiet use_uid
> session     required      pam_unix.so
> session     optional      pam_sss.so
> 
> The dconf file /etc/dconf/db/distro.d/10-authconfig
> 
> [org/gnome/login-screen]
> enable-fingerprint-authentication=false
> 
> and /etc/dconf/db/distro.d/locks/10-authconfig-locks
> 
> /org/gnome/login-screen/enable-fingerprint-authentication

The configuration looks ok, I'll try to reproduce the issue locally as
well.

bye,
Sumit

> 
> I'm currently running the following:
> 
>  * Scientific Linux 7.2 64bit
>  * 4.2.0-15.sl7_2.17
>  * GDM 3.14.2
>  * GNOME Shell 3.14.4
> 
> Hopefully, I have given you enough information to work the problem. Have
> there been changes to the way freeIPA is configured for smartcard use?
> 
> Sincerely,
> -- 
> *Michael Rainey*
> 

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list