[Freeipa-users] Fedora 25 IPA smart card login
Sumit Bose
sbose at redhat.com
Wed Mar 15 13:17:19 UTC 2017
On Tue, Mar 14, 2017 at 04:29:58PM -0500, Michael Rainey (Contractor) wrote:
> Greetings,
>
> I have been working on an issue with smart card logins on a Fedora 25
> system. For a short time smart card logins have been working well, but
> suddenly the login process has suddenly stopped working. I have verified
> that all appropriate certificates are installed, checked my dconf
> configuration, checked my PAM files, and reviewed the logs. I have noticed
> a few issues, but changing them to match my SL7 systems did not resolve the
> problem.
At the first glance the config files are looking good.
Please send /var/log/secure or the PAM related journal data and the SSSD
logs files with debug_level=10. If you prefer you can send them directly
to me.
bye,
Sumit
>
> My observation has been with my PAM files and authconfig. I have noticed
> that when an update occurs, authconfig will run changing my PAM files. Has
> IPA been integrated with authconfig or do I still need to keep the options
> in authconfig largely disabled and manually modify my PAM files?
>
> System Information:
>
> ------------------------------------------------------------------------
> Package:
> freeipa-client.x86_64 4.4.3-2.fc25
>
> PAM:
> -------------------------------------
> smartcard-auth-ac
> -------------------------------------
> auth required pam_env.so
> auth sufficient pam_sss.so allow_missing_name
> auth required pam_deny.so
>
> account required pam_unix.so
> account sufficient pam_localuser.so
> account sufficient pam_succeed_if.so uid < 1000 quiet
> account [default=bad success=ok user_unknown=ignore] pam_sss.so
> account required pam_permit.so
>
>
> session optional pam_keyinit.so revoke
> session required pam_limits.so
> -session optional pam_systemd.so
> session [success=1 default=ignore] pam_succeed_if.so service in crond
> quiet use_uid
> session required pam_unix.so
> session optional pam_sss.so
>
> -------------------------------------
> password-auth-ac
> -------------------------------------
> auth required pam_env.so
> auth [default=1 success=ok] pam_localuser.so
> auth [success=done ignore=ignore default=die] pam_unix.so nullok
> try_first_pass
> auth requisite pam_succeed_if.so uid >= 1000 quiet_success
> auth sufficient pam_sss.so forward_pass
> auth required pam_deny.so
>
> account required pam_unix.so
> account sufficient pam_localuser.so
> account sufficient pam_succeed_if.so uid < 1000 quiet
> account [default=bad success=ok user_unknown=ignore] pam_sss.so
> account required pam_permit.so
>
> password requisite pam_pwquality.so try_first_pass local_users_only
> retry=3 authtok_type=
> password sufficient pam_unix.so sha512 shadow nullok try_first_pass
> use_authtok
> password sufficient pam_sss.so use_authtok
> password required pam_deny.so
>
> session optional pam_keyinit.so revoke
> session required pam_limits.so
> -session optional pam_systemd.so
> session [success=1 default=ignore] pam_succeed_if.so service in crond
> quiet use_uid
> session required pam_unix.so
> session optional pam_sss.so
>
> -------------------------------------
> DCONF: org.gnome.login-screen
> -------------------------------------
> org.gnome.login-screen fallback-logo ''
> org.gnome.login-screen disable-user-list false
> org.gnome.login-screen allowed-failures 3
> org.gnome.login-screen enable-smartcard-authentication true
> org.gnome.login-screen banner-message-enable false
> org.gnome.login-screen enable-password-authentication true
> org.gnome.login-screen disable-restart-buttons false
> org.gnome.login-screen logo '/usr/share/pixmaps/fedora-gdm-logo.png'
> org.gnome.login-screen enable-fingerprint-authentication true
> org.gnome.login-screen banner-message-text ''
>
> --
> *Michael Rainey*
> Network Representative
> Naval Research Latoratory, Code 7320
> Building 1009, Room C156
> Stennis Space Center, MS 39529
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list