[Freeipa-users] Lock screen when Smart Card is removed.

Michael Rainey (Contractor) michael.rainey.ctr at nrlssc.navy.mil
Wed Mar 23 17:25:50 UTC 2016 

Hi Sumit,

I've trying to download the rpm via the Koji client and have been unable 
to locate package.  Are there any extra steps I need to complete before 
I can find the package, such as, create an account in Fedora Build 
System.  Performing a general search for SSSD only returns a list of 
packages from Fedora Projects and nothing from the EL repo.

Thanks,

*Michael Rainey*
NRL 7320
Computer Support Group
Building 1009, Room C156
Stennis Space Center, MS 39529
On 03/22/2016 07:25 AM, Sumit Bose wrote:
> On Fri, Mar 18, 2016 at 10:53:08AM -0500, Michael Rainey (Contractor) wrote:
>> Hi Sumit,
>>
>> It has been a week and I am following up with you on the lock screen issue.
>> Have you had any progress?  If so, I am hoping implementing the fix will be
>> quick and easy.
> Thank you for your patience. Please find a test build for RHEL/CentOS
> 7.2 at https://koji.fedoraproject.org/koji/taskinfo?taskID=13412048 .
>
> Besides the updated version of SSSD you should replace
> /etc/pam.d/smartcard-auth with
>
> ======== /etc/pam.d/smartcard-auth =========
> auth        required      pam_env.so
> auth        sufficient    pam_sss.so allow_missing_name
> auth        required      pam_deny.so
>
> account     required      pam_unix.so
> account     sufficient    pam_localuser.so
> account     sufficient    pam_succeed_if.so uid < 1000 quiet
> account     [default=bad success=ok user_unknown=ignore] pam_sss.so
> account     required      pam_permit.so
>
>
> session     optional      pam_keyinit.so revoke
> session     required      pam_limits.so
> -session     optional      pam_systemd.so
> session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
> session     required      pam_unix.so
> session     optional      pam_sss.so
> ===========================================
>
> and /etc/dconf/db/distro.d/10-authconfig
>
> ===== /etc/dconf/db/distro.d/10-authconfig =====
> [org/gnome/login-screen]
> enable-fingerprint-authentication=false
>
> [org/gnome/settings-daemon/peripherals/smartcard]
> removal-action='lock-screen'
> ===============================================
>
> and /etc/dconf/db/distro.d/locks/10-authconfig-locks
>
> ====== /etc/dconf/db/distro.d/locks/10-authconfig-locks ===
> /org/gnome/login-screen/enable-fingerprint-authentication
> /org/gnome/settings-daemon/peripherals/smartcard
> ===========================================================
>
> and call 'dconf update' to get the new setting loaded. Finally it might
> be a good idea to restart gdm to make sure the new setting and PAM
> configuration is really active although I would expect that gdm is able
> to pick up the changes at run-time.
>
> Any feedback, good or bad, is welcome.
>
> bye,
> Sumit
>
>> Thanks,
>>
>> *Michael Rainey*
>>
>> On 03/11/2016 02:32 AM, Sumit Bose wrote:
>>> On Thu, Mar 10, 2016 at 01:36:15PM -0600, Michael Rainey (Contractor) wrote:
>>>> Greetings,
>>>>
>>>> I have been adding systems to my new domain and utilizing the smart card
>>>> login feature.  To date the smart card login feature is working very well.
>>>> However, my group has been trying to implement locking the screen when the
>>>> smart card is removed, but have not been successful at making it work.  Does
>>>> anyone have any suggestions as to what it would take to enable locking the
>>>> screen when the smart card is removed.
>>> This requires a better integration with gdm which is currently WIP
>>> (https://fedorahosted.org/sssd/ticket/2941). If you don't mind please
>>> ping me in about a week about this again, then I might have done some
>>> more testing.
>>>
>>> bye,
>>> Sumit
>>>
>>>> Thank you in advance.
>>>> -- 
>>>> *Michael Rainey*
>>>> -- 
>>>> Manage your subscription for the Freeipa-users mailing list:
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> Go to http://freeipa.org for more info on the project
>> -- 
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160323/26780fed/attachment.htm>

More information about the Freeipa-users mailing list