On Thu, Feb 02, 2017 at 11:03:28AM -0800, [email protected] wrote: > I am running an IPA server (4.4.0) on RHEL 7.3 which is integrated with a > Windows Active Directory server. I am trying to configure the IPA server to > allow the Active Directory Users to log into Gnome with a CAC smart card. > I’m having a hard time finding any instructions on how to do this. The > problem I’m having is the Common Name from the smart card is not getting > associated with the Active Directory account. I added the certificate from > the smart card to the IPA server by creating a User ID override for the AD > user account. I made sure to not use authconfig to configure smart cards and > I added ifp to the services line in the sssd.conf file. > > I have the following packages installed: > ipa-admintools.noarch 4.4.0-14.el7_3.4 > > ipa-client.x86_64 4.4.0-14.el7_3.4 > > ipa-client-common.noarch 4.4.0-14.el7_3.4 > > ipa-common.noarch 4.4.0-14.el7_3.4 > > ipa-python-compat.noarch 4.4.0-14.el7_3.4 > > ipa-server.x86_64 4.4.0-14.el7_3.4 > > ipa-server-common.noarch 4.4.0-14.el7_3.4 > > ipa-server-dns.noarch 4.4.0-14.el7_3.4 > ipa-server-trust-ad.x86_64 4.4.0-14.el7_3.4 > > I can log in with AD user accounts that are configured with UserName and > Passswords, so I know that the integration is working. When I try to log > into GDM with my smart card, I don’t get prompted for a PIN number. It only > asks for the password from the AD account.
Please have a look at the steps described in https://bugzilla.redhat.com/show_bug.cgi?id=1300420#c9 . Please let me know if you run into issues. HTH bye, Sumit > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
