On Fri, Jun 03, 2016 at 05:56:45PM +0200, Jakub Hrozek wrote:
> On Wed, Jun 01, 2016 at 06:31:29PM +0200, Sumit Bose wrote:
> > Hi,
> >
> > that attached two patches would allow to use the Smartcard support in
> > gdm with SSSD. To use it you should replace pam_pkcs11 in
> > /etc/pam.d/smartcard-auth in the auth section by
> >
> > auth sufficient pam_sss.so allow_missing_name
> >
> > and drop the password section completely.
> >
> > To enable the Smartcard support in gdm the easiest way is to use
> > dconf-editor:
> >
> > DCONF_PROFILE=gdm dconf-editor
> >
> > In the org/gnome/login-screen section you can switch the Smartcard
> > support on and off. Additionally you might want to tune the removal
> > action in org/gnome/settings-daemon/peripherals/smartcard .
> >
> > If now a Smartcard is inserted gdm should register it, call
> > /etc/pam.d/gdm-smartcard which calls /etc/pam.d/smartcard-auth without a
> > user name. With the new option from the first patch pam_sss will accept
> > this and send it to the pam responder. The pam responder can handle this
> > if Smartcard authentication is enabled, tries to read the certificate
> > from the Smartcard, tries to find and matching user and if successful,
> > returns the user name to pam_sss which puts it on the PAM stack and
> > continues with the authentication.
> >
> > It would be nice if someone can review the code even without testing the
> > functionality. In this case I will ask someone else with access to
> > Smartcards and reader to do some functional testing.
> >
> > I think these patches are candidates for the pam wrapper based tests
> > Jakub has for review on the list. I'll start reviewing those and add
> > tests when they are in master.
>
> The code looks good to me with some minor nitpicks (see inline) but at
> least for me, the tests are failing:
> [ RUN ] test_pam_offline_chauthtok_prelim
> [ ERROR ] --- 0x2 != 0x3
> [ LINE ] ---
/home/remote/jhrozek/devel/sssd/src/tests/cmocka/test_pam_srv.c:641: error: Failure!
> [ FAILED ] test_pam_offline_chauthtok_prelim
> [ RUN ] test_pam_offline_chauthtok
> [ ERROR ] --- 0x2 != 0x3
> [ LINE ] ---
/home/remote/jhrozek/devel/sssd/src/tests/cmocka/test_pam_srv.c:641: error: Failure!
> [ FAILED ] test_pam_offline_chauthtok
>
> Do I need some other patches applied as well?
Not that I'm aware of. So far I was not able to reproduce the error
locally not with CI
http://sssd-ci.duckdns.org/logs/job/44/49/summary.html . Do you maybe
have your pam wrapper patches applied to check for regressions?
Of course this was the case :-) Good excuse to rebase my tests atop
these patches..