Hi,
My case comme from GUI login (sddm) not talking with the pam stack like login/ssh do (with login you got a prompt for a password or for a PIN with the token/smarcard name displayed to the user). This way, there is no lock-out problem.
Currently, my pam_sss.so does not have the try_cert_auth option, and sssd.conf seems to do all the work. I will change that to use Spike solution.
My goal is to modify sddm so you chose how you want to authenticate before going to the pam/sssd stack so you can select the right token between multiple plugged smartcards or plain password and avoiding lock-outs.
Thanks for the help ! Marc