On Thu, Oct 31, 2019 at 04:38:23PM +0000, Zynda, Bradley V. (GSFC-423.0)[ADNET SYSTEMS
INC] wrote:
Hello,
pam.d/system-auth
auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so
try_cert_auth
pam.d/smartcard-auth
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000
quiet
auth sufficient pam_sss.so
ignore_authinfo_unavail require_cert_auth
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000
quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
etc/sssd/sssd.conf
[sssd]
services = nss, pam
domains = files
[nss]
[pam]
pam_cert_auth = True
pam_cert_db_path = /etc/sssd/pki/<cert>.pem
debug_level = 4
[domain/files]
id_provider = files
[certmap/files/<user>]
matchrule = <EKU>msScLogin<SUBJECT>^.*,UID=<user>,.*$
gdm.d/greeter-login
enable-smartcard-authentication=true
enable-fingerprint-authentication=false
enable-password-authentication=false
Reboot and get Card PIN user prompt gdm-login-greeter -> add username and click next
Get Prompted for PIN but after a second it just fails and goes back to asking for
username.
Has anyone run into this behaviour, suggestions, fix?
Hi,
does it work with other services than gdm, like e.g. the console login
or su?
Can you send the SSSD debug logs? You currently have 'debug_level = 4'
in the [pam] section. This might help for a start but it might help to
avoid some round-trips if you can set 'debug_level = 9' to the [pam] and
[domain/files] section, restart SSSD and run the login test again before
sending the logs.
bye.
Sumit
Seems to be a reoccurring issue I have seen in +F28, +CentOS7 and +RHEL7 basically
anything with obsolete coolkey pkcs11 authconfig.
Thanks,
Brad
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...