Thanks for your reply.
Where do I find the issuer to create the correct matchrule?
The upn of the user is currently stored in the Subject Alternate Name in the certificate.
So the full username including the domain. What would the maprule look like then?
I don't understand how it's supposed to work if GDM doesn't prompt for a
username. The smartcard currently has two separate certificates. Without entering a
username, I fail to see how it knows which one to use.
krb5_child.log is currently empty.
This is krb5.conf:
# To opt out of the system crypto-policies configuration of krb5, remove the
# symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
spake_preauth_groups = edwards25519
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
#
EXAMPLE.COM = {
# kdc =
kerberos.example.com
# admin_server =
kerberos.example.com
# }
[domain_realm]
# .example.com =
EXAMPLE.COM
#
example.com =
EXAMPLE.COM
BR /Gary