On Tue, Jun 28, 2016 at 04:41:39PM -0500, Michael Rainey (Contractor) wrote: > Greetings, > > Back in March I contacted the mailing list in regard to a problem I was > having with smartcards and screen locking. At that time I was provided a > patch to implement to lock the screen when the smartcard was removed and it > worked well. Today it looks like the patch may have made its way to the > repo and I am starting to see some issues occuring on my test machines. > When the smartcard is inserted into the reader a message flashes on the > screen "That didn't work. Please try again." Also, it doesn't seem to > prompt for a pin for the smartcard. It just shows the password field. > Unfortunately, the logs didn't reveal much, I may need to tweak the debug > level if more information is needed.
yes, it would be good if you can add debug_level=10 to the [pam] section of sssd.conf and send the sssd_pam.log file after testing. > > I grabbed the files from > https://koji.fedoraproject.org/koji/taskinfo?taskID=13412048 > > I had to modify the smartcard-auth file to the following: > > auth required pam_env.so > auth sufficient pam_sss.so allow_missing_name > #auth [success=done ignore=ignore default=die] pam_pkcs11.so nodebug > wait_for_card > auth required pam_deny.so > > account required pam_unix.so > account sufficient pam_localuser.so > account sufficient pam_succeed_if.so uid < 1000 quiet > account [default=bad success=ok user_unknown=ignore] pam_sss.so > account required pam_permit.so > > #password required pam_pkcs11.so > > session optional pam_keyinit.so revoke > session required pam_limits.so > -session optional pam_systemd.so > session [success=1 default=ignore] pam_succeed_if.so service in crond > quiet use_uid > session required pam_unix.so > session optional pam_sss.so > > The dconf file /etc/dconf/db/distro.d/10-authconfig > > [org/gnome/login-screen] > enable-fingerprint-authentication=false > > and /etc/dconf/db/distro.d/locks/10-authconfig-locks > > /org/gnome/login-screen/enable-fingerprint-authentication The configuration looks ok, I'll try to reproduce the issue locally as well. bye, Sumit > > I'm currently running the following: > > * Scientific Linux 7.2 64bit > * 4.2.0-15.sl7_2.17 > * GDM 3.14.2 > * GNOME Shell 3.14.4 > > Hopefully, I have given you enough information to work the problem. Have > there been changes to the way freeIPA is configured for smartcard use? > > Sincerely, > -- > *Michael Rainey* > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
