<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Greetings,</p>
<p>Back in March I contacted the mailing list in regard to a problem
I was having with smartcards and screen locking. At that time I
was provided a patch to implement to lock the screen when the
smartcard was removed and it worked well. Today it looks like the
patch may have made its way to the repo and I am starting to see
some issues occuring on my test machines. When the smartcard is
inserted into the reader a message flashes on the screen "That
didn't work. Please try again." Also, it doesn't seem to prompt
for a pin for the smartcard. It just shows the password field.
Unfortunately, the logs didn't reveal much, I may need to tweak
the debug level if more information is needed.<br>
</p>
<p>I grabbed the files from
<a class="moz-txt-link-freetext" href="https://koji.fedoraproject.org/koji/taskinfo?taskID=13412048">https://koji.fedoraproject.org/koji/taskinfo?taskID=13412048</a></p>
<p>I had to modify the smartcard-auth file to the following:</p>
<p>auth required pam_env.so<br>
auth sufficient pam_sss.so allow_missing_name<br>
#auth [success=done ignore=ignore default=die]
pam_pkcs11.so nodebug wait_for_card<br>
auth required pam_deny.so<br>
<br>
account required pam_unix.so<br>
account sufficient pam_localuser.so<br>
account sufficient pam_succeed_if.so uid < 1000 quiet<br>
account [default=bad success=ok user_unknown=ignore]
pam_sss.so<br>
account required pam_permit.so<br>
<br>
#password required pam_pkcs11.so<br>
<br>
session optional pam_keyinit.so revoke<br>
session required pam_limits.so<br>
-session optional pam_systemd.so<br>
session [success=1 default=ignore] pam_succeed_if.so service
in crond quiet use_uid<br>
session required pam_unix.so<br>
session optional pam_sss.so</p>
<p>The dconf file /etc/dconf/db/distro.d/10-authconfig<br>
</p>
<p>[org/gnome/login-screen]<br>
enable-fingerprint-authentication=false</p>
<p>and /etc/dconf/db/distro.d/locks/10-authconfig-locks</p>
<p>/org/gnome/login-screen/enable-fingerprint-authentication</p>
<p>I'm currently running the following:</p>
<ul>
<li>Scientific Linux 7.2 64bit</li>
<li>4.2.0-15.sl7_2.17</li>
<li>GDM 3.14.2</li>
<li>GNOME Shell 3.14.4</li>
</ul>
Hopefully, I have given you enough information to work the problem.
Have there been changes to the way freeIPA is configured for
smartcard use?<br>
<br>
Sincerely,<br>
<div class="moz-signature">-- <br>
<b>Michael Rainey</b><br>
<br>
</div>
</body>
</html>