On Thu, Sep 28, 2017 at 11:29:27AM -0400, Steve Weeks via FreeIPA-users wrote: > We have smartcards (PIV) working just fine on Fedora 25 with FreeIPA client > version 4.4.4 (SSSD 1.14.2). However on Ubuntu 16.04, FreeIPA client > 4.3.1, SSSD 1.13.4 the smartcard seems to be ignored. > > The smartcard is readable using pkcs11-tools and pkcs15-tools on both > systems. > > On both systems sssd.conf contains: > [pam] > pam_cert_auth = True > > I've turned the sssd logging up to 9 on both systems and it looks like > p11_child is never called on the Ubuntu system. On the Ubuntu system > p11_child.log is empty and there is no sign of it being started in the > sssd_pam.log. > > Any suggestions on what I should look at next?
How does your PAM configuration looks like? You have to make sure that pam_sss.so is the first module called for SSSD users. If pam_unix comes first it will ask for a Password and pass it on to pam_sss.so which will try password authentication in this case. HTH bye, Sumit > > Thanks, > Steve > _______________________________________________ > FreeIPA-users mailing list -- firstname.lastname@example.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- email@example.com To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org