[SSSD-users] sssd smartcard pam.d

Hello for all. I have CentOS 7.6 with last updates. After using realmd authetification AD users with password works well. I try to use smartcards to authetificate users from AD at the linux machines. After a lot of googling I can use PKINIT to take kerberos tickets for a user by using a smartcard and a pincode. this is my krb5.conf: # cat /etc/krb5.conf # Configuration snippets may be placed in this directory as well includedir /etc/krb5.conf.d/ includedir /var/lib/sss/pubconf/krb5.include.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false default_ccache_name = KEYRING:persistent:%{uid} default_realm = "Domain" pkinit_anchors = FILE:/etc/pki/nssdb/ca.cer pkinit_identities = PKCS11:/usr/lib64/libeTPkcs11.so pkinit_eku_checking = kpServerAuth pkinit_kdc_hostname = "Domain controller1" pkinit_kdc_hostname = "Domain controller2" pkinit_kdc_hostname = "Domain controller3" canonicalize = True [realms] "Domain" { kdc = "Domain controller1" kdc = "Domain controller2" kdc = "Domain controller3" admin_server = "Domain controller1" default_domain = "Domain" } [domain_realm] domain = DOMAIN .domain = DOMAIN I put this article inside sssd.conf: [pam] pam_cert_auth = true i think that next step will be a configure pam.d files. but at this step a met some problems. maybe somebody can send me working files from pam.d? What the next step to make authetification for Gnome Destop on CentOS 7.6? ps. "authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=sssd --smartcardaction=1 --updateall" don't work well for me