<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Greetings,</p>
<p>I have been working on an issue with smart card logins on a
Fedora 25 system. For a short time smart card logins have been
working well, but suddenly the login process has suddenly stopped
working. I have verified that all appropriate certificates are
installed, checked my dconf configuration, checked my PAM files,
and reviewed the logs. I have noticed a few issues, but changing
them to match my SL7 systems did not resolve the problem.</p>
<p>My observation has been with my PAM files and authconfig. I have
noticed that when an update occurs, authconfig will run changing
my PAM files. Has IPA been integrated with authconfig or do I
still need to keep the options in authconfig largely disabled and
manually modify my PAM files?</p>
<p>System Information:<br>
</p>
<hr size="2" width="100%">Package:<br>
freeipa-client.x86_64 4.4.3-2.fc25<br>
<br>
PAM:<br>
-------------------------------------<br>
smartcard-auth-ac<br>
-------------------------------------<br>
auth required pam_env.so<br>
auth sufficient pam_sss.so allow_missing_name<br>
auth required pam_deny.so<br>
<br>
account required pam_unix.so<br>
account sufficient pam_localuser.so<br>
account sufficient pam_succeed_if.so uid < 1000 quiet<br>
account [default=bad success=ok user_unknown=ignore] pam_sss.so<br>
account required pam_permit.so<br>
<br>
<br>
session optional pam_keyinit.so revoke<br>
session required pam_limits.so<br>
-session optional pam_systemd.so<br>
session [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid<br>
session required pam_unix.so<br>
session optional pam_sss.so<br>
<br>
-------------------------------------<br>
password-auth-ac<br>
-------------------------------------<br>
auth required pam_env.so<br>
auth [default=1 success=ok] pam_localuser.so<br>
auth [success=done ignore=ignore default=die] pam_unix.so
nullok try_first_pass<br>
auth requisite pam_succeed_if.so uid >= 1000
quiet_success<br>
auth sufficient pam_sss.so forward_pass<br>
auth required pam_deny.so<br>
<br>
account required pam_unix.so<br>
account sufficient pam_localuser.so<br>
account sufficient pam_succeed_if.so uid < 1000 quiet<br>
account [default=bad success=ok user_unknown=ignore] pam_sss.so<br>
account required pam_permit.so<br>
<br>
password requisite pam_pwquality.so try_first_pass
local_users_only retry=3 authtok_type=<br>
password sufficient pam_unix.so sha512 shadow nullok
try_first_pass use_authtok<br>
password sufficient pam_sss.so use_authtok<br>
password required pam_deny.so<br>
<br>
session optional pam_keyinit.so revoke<br>
session required pam_limits.so<br>
-session optional pam_systemd.so<br>
session [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid<br>
session required pam_unix.so<br>
session optional pam_sss.so<br>
<br>
-------------------------------------<br>
DCONF: org.gnome.login-screen<br>
-------------------------------------<br>
org.gnome.login-screen fallback-logo ''<br>
org.gnome.login-screen disable-user-list false<br>
org.gnome.login-screen allowed-failures 3<br>
org.gnome.login-screen enable-smartcard-authentication true<br>
org.gnome.login-screen banner-message-enable false<br>
org.gnome.login-screen enable-password-authentication true<br>
org.gnome.login-screen disable-restart-buttons false<br>
org.gnome.login-screen logo '/usr/share/pixmaps/fedora-gdm-logo.png'<br>
org.gnome.login-screen enable-fingerprint-authentication true<br>
org.gnome.login-screen banner-message-text ''<br>
<br>
<div class="moz-signature">-- <br>
<b>Michael Rainey</b><br>
Network Representative<br>
Naval Research Latoratory, Code 7320<br>
Building 1009, Room C156<br>
Stennis Space Center, MS 39529<br>
<br>
</div>
</body>
</html>