[Freeipa-users] Fedora 25 IPA smart card login
Michael Rainey (Contractor)
michael.rainey.ctr at nrlssc.navy.mil
Tue Mar 14 21:29:58 UTC 2017
Greetings,
I have been working on an issue with smart card logins on a Fedora 25
system. For a short time smart card logins have been working well, but
suddenly the login process has suddenly stopped working. I have
verified that all appropriate certificates are installed, checked my
dconf configuration, checked my PAM files, and reviewed the logs. I
have noticed a few issues, but changing them to match my SL7 systems did
not resolve the problem.
My observation has been with my PAM files and authconfig. I have
noticed that when an update occurs, authconfig will run changing my PAM
files. Has IPA been integrated with authconfig or do I still need to
keep the options in authconfig largely disabled and manually modify my
PAM files?
System Information:
------------------------------------------------------------------------
Package:
freeipa-client.x86_64 4.4.3-2.fc25
PAM:
-------------------------------------
smartcard-auth-ac
-------------------------------------
auth required pam_env.so
auth sufficient pam_sss.so allow_missing_name
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
-------------------------------------
password-auth-ac
-------------------------------------
auth required pam_env.so
auth [default=1 success=ok] pam_localuser.so
auth [success=done ignore=ignore default=die] pam_unix.so nullok
try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass
local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok
try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
-------------------------------------
DCONF: org.gnome.login-screen
-------------------------------------
org.gnome.login-screen fallback-logo ''
org.gnome.login-screen disable-user-list false
org.gnome.login-screen allowed-failures 3
org.gnome.login-screen enable-smartcard-authentication true
org.gnome.login-screen banner-message-enable false
org.gnome.login-screen enable-password-authentication true
org.gnome.login-screen disable-restart-buttons false
org.gnome.login-screen logo '/usr/share/pixmaps/fedora-gdm-logo.png'
org.gnome.login-screen enable-fingerprint-authentication true
org.gnome.login-screen banner-message-text ''
--
*Michael Rainey*
Network Representative
Naval Research Latoratory, Code 7320
Building 1009, Room C156
Stennis Space Center, MS 39529
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170314/5eec75e4/attachment.htm>
More information about the Freeipa-users
mailing list