In all cases on both system pam_unix comes before pam_sss. For example in
Fedora system-auth it is:
auth [success=done ignore=ignore default=die] pam_unix.so nullok
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
and in Ubuntu common-auth it is:
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_sss.so use_first_pass
I tried reversing the lines and get a pam error about user not know (it is
an AD user which works fine on fedora).
Also, it looks like pam_pkcs11.so is used in smartcard-auth on Fedora.
Don't know if this is relevant or not.
On Thu, Sep 28, 2017 at 11:40 AM, Sumit Bose via FreeIPA-users <
> On Thu, Sep 28, 2017 at 11:29:27AM -0400, Steve Weeks via FreeIPA-users
> > We have smartcards (PIV) working just fine on Fedora 25 with FreeIPA
> > version 4.4.4 (SSSD 1.14.2). However on Ubuntu 16.04, FreeIPA client
> > 4.3.1, SSSD 1.13.4 the smartcard seems to be ignored.
> > The smartcard is readable using pkcs11-tools and pkcs15-tools on both
> > systems.
> > On both systems sssd.conf contains:
> > [pam]
> > pam_cert_auth = True
> > I've turned the sssd logging up to 9 on both systems and it looks like
> > p11_child is never called on the Ubuntu system. On the Ubuntu system
> > p11_child.log is empty and there is no sign of it being started in the
> > sssd_pam.log.
> > Any suggestions on what I should look at next?
> How does your PAM configuration looks like? You have to make sure that
> pam_sss.so is the first module called for SSSD users. If pam_unix comes
> first it will ask for a Password and pass it on to pam_sss.so which will
> try password authentication in this case.
> > Thanks,
> > Steve
> > _______________________________________________
> > FreeIPA-users mailing list -- firstname.lastname@example.org
> > To unsubscribe send an email to freeipa-users-leave@lists.
> FreeIPA-users mailing list -- email@example.com
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
FreeIPA-users mailing list -- firstname.lastname@example.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org