On Thu, Sep 28, 2017 at 11:29:27AM -0400, Steve Weeks via FreeIPA-users wrote:
> We have smartcards (PIV) working just fine on Fedora 25 with FreeIPA client
> version 4.4.4 (SSSD 1.14.2).  However on Ubuntu 16.04, FreeIPA client
> 4.3.1, SSSD 1.13.4 the smartcard seems to be ignored.
> 
> The smartcard is readable using pkcs11-tools and pkcs15-tools on both
> systems.
> 
> On both systems sssd.conf contains:
> [pam]
> pam_cert_auth = True
> 
> I've turned the sssd logging up to 9 on both systems and it looks like
> p11_child is never called on the Ubuntu system.  On the Ubuntu system
> p11_child.log is empty and there is no sign of it being started in the
> sssd_pam.log.
> 
> Any suggestions on what I should look at next?

How does your PAM configuration looks like? You have to make sure that
pam_sss.so is the first module called for SSSD users. If pam_unix comes
first it will ask for a Password and pass it on to pam_sss.so which will
try password authentication in this case.

HTH

bye,
Sumit

> 
> Thanks,
> Steve

> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to