In all cases on both system pam_unix comes before pam_sss.  For example in
Fedora system-auth it is:

auth        [success=done ignore=ignore default=die] pam_unix.so nullok
try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_sss.so forward_pass

and in Ubuntu common-auth it is:

auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_sss.so use_first_pass

I tried reversing the lines and get a pam error about user not know (it is
an AD user which works fine on fedora).

Also, it looks like pam_pkcs11.so is used in smartcard-auth on Fedora.
Don't know if this is relevant or not.

Steve


On Thu, Sep 28, 2017 at 11:40 AM, Sumit Bose via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> On Thu, Sep 28, 2017 at 11:29:27AM -0400, Steve Weeks via FreeIPA-users
> wrote:
> > We have smartcards (PIV) working just fine on Fedora 25 with FreeIPA
> client
> > version 4.4.4 (SSSD 1.14.2).  However on Ubuntu 16.04, FreeIPA client
> > 4.3.1, SSSD 1.13.4 the smartcard seems to be ignored.
> >
> > The smartcard is readable using pkcs11-tools and pkcs15-tools on both
> > systems.
> >
> > On both systems sssd.conf contains:
> > [pam]
> > pam_cert_auth = True
> >
> > I've turned the sssd logging up to 9 on both systems and it looks like
> > p11_child is never called on the Ubuntu system.  On the Ubuntu system
> > p11_child.log is empty and there is no sign of it being started in the
> > sssd_pam.log.
> >
> > Any suggestions on what I should look at next?
>
> How does your PAM configuration looks like? You have to make sure that
> pam_sss.so is the first module called for SSSD users. If pam_unix comes
> first it will ask for a Password and pass it on to pam_sss.so which will
> try password authentication in this case.
>
> HTH
>
> bye,
> Sumit
>
> >
> > Thanks,
> > Steve
>
> > _______________________________________________
> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > To unsubscribe send an email to freeipa-users-leave@lists.
> fedorahosted.org
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to