[Freeipa-users] Lock screen when Smart Card is removed.

Sumit Bose sbose at redhat.com
Thu Mar 24 10:09:16 UTC 2016 

On Wed, Mar 23, 2016 at 12:25:50PM -0500, Michael Rainey (Contractor) wrote:
> Hi Sumit,
> 
> I've trying to download the rpm via the Koji client and have been unable to
> locate package.  Are there any extra steps I need to complete before I can
> find the package, such as, create an account in Fedora Build System.
> Performing a general search for SSSD only returns a list of packages from
> Fedora Projects and nothing from the EL repo.

The link I sent is the meta link for the different supported platforms
(x86_64, pcc64 and pcc64le). If you select the link for x86_64 you
should be able to see download links for the x86_64 packages.

Nevertheless I created a new build
http://koji.fedoraproject.org/koji/taskinfo?taskID=13446490 to fix some
issue with the package version number in the previous build. The x86_64
packages can be found at
http://koji.fedoraproject.org/koji/taskinfo?taskID=13446491 . To make
the download easy you can try the following command:

curl http://koji.fedoraproject.org/koji/taskinfo?taskID=13446491 | grep -o '"https://.*.rpm"' | xargs -n 1 curl -L -O

HTH

bye,
Sumit

> 
> Thanks,
> 
> *Michael Rainey*
> NRL 7320
> Computer Support Group
> Building 1009, Room C156
> Stennis Space Center, MS 39529
> On 03/22/2016 07:25 AM, Sumit Bose wrote:
> >On Fri, Mar 18, 2016 at 10:53:08AM -0500, Michael Rainey (Contractor) wrote:
> >>Hi Sumit,
> >>
> >>It has been a week and I am following up with you on the lock screen issue.
> >>Have you had any progress?  If so, I am hoping implementing the fix will be
> >>quick and easy.
> >Thank you for your patience. Please find a test build for RHEL/CentOS
> >7.2 at https://koji.fedoraproject.org/koji/taskinfo?taskID=13412048 .
> >
> >Besides the updated version of SSSD you should replace
> >/etc/pam.d/smartcard-auth with
> >
> >======== /etc/pam.d/smartcard-auth =========
> >auth        required      pam_env.so
> >auth        sufficient    pam_sss.so allow_missing_name
> >auth        required      pam_deny.so
> >
> >account     required      pam_unix.so
> >account     sufficient    pam_localuser.so
> >account     sufficient    pam_succeed_if.so uid < 1000 quiet
> >account     [default=bad success=ok user_unknown=ignore] pam_sss.so
> >account     required      pam_permit.so
> >
> >
> >session     optional      pam_keyinit.so revoke
> >session     required      pam_limits.so
> >-session     optional      pam_systemd.so
> >session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
> >session     required      pam_unix.so
> >session     optional      pam_sss.so
> >===========================================
> >
> >and /etc/dconf/db/distro.d/10-authconfig
> >
> >===== /etc/dconf/db/distro.d/10-authconfig =====
> >[org/gnome/login-screen]
> >enable-fingerprint-authentication=false
> >
> >[org/gnome/settings-daemon/peripherals/smartcard]
> >removal-action='lock-screen'
> >===============================================
> >
> >and /etc/dconf/db/distro.d/locks/10-authconfig-locks
> >
> >====== /etc/dconf/db/distro.d/locks/10-authconfig-locks ===
> >/org/gnome/login-screen/enable-fingerprint-authentication
> >/org/gnome/settings-daemon/peripherals/smartcard
> >===========================================================
> >
> >and call 'dconf update' to get the new setting loaded. Finally it might
> >be a good idea to restart gdm to make sure the new setting and PAM
> >configuration is really active although I would expect that gdm is able
> >to pick up the changes at run-time.
> >
> >Any feedback, good or bad, is welcome.
> >
> >bye,
> >Sumit
> >
> >>Thanks,
> >>
> >>*Michael Rainey*
> >>
> >>On 03/11/2016 02:32 AM, Sumit Bose wrote:
> >>>On Thu, Mar 10, 2016 at 01:36:15PM -0600, Michael Rainey (Contractor) wrote:
> >>>>Greetings,
> >>>>
> >>>>I have been adding systems to my new domain and utilizing the smart card
> >>>>login feature.  To date the smart card login feature is working very well.
> >>>>However, my group has been trying to implement locking the screen when the
> >>>>smart card is removed, but have not been successful at making it work.  Does
> >>>>anyone have any suggestions as to what it would take to enable locking the
> >>>>screen when the smart card is removed.
> >>>This requires a better integration with gdm which is currently WIP
> >>>(https://fedorahosted.org/sssd/ticket/2941). If you don't mind please
> >>>ping me in about a week about this again, then I might have done some
> >>>more testing.
> >>>
> >>>bye,
> >>>Sumit
> >>>
> >>>>Thank you in advance.
> >>>>-- 
> >>>>*Michael Rainey*
> >>>>-- 
> >>>>Manage your subscription for the Freeipa-users mailing list:
> >>>>https://www.redhat.com/mailman/listinfo/freeipa-users
> >>>>Go to http://freeipa.org for more info on the project
> >>-- 
> >>Manage your subscription for the Freeipa-users mailing list:
> >>https://www.redhat.com/mailman/listinfo/freeipa-users
> >>Go to http://freeipa.org for more info on the project
>

More information about the Freeipa-users mailing list