On Fri, Jun 21, 2019 at 01:14:33AM -0000, Boyd Ako via FreeIPA-users wrote: > So, I created a Red Hat ticket to assist and the support is pretty > non-productive. > > I have a RHEL 7 "Workstation" setup as an IPA client that most of the time > works. However, there are occasions when the screen locks out due to > inactivity that I can't log back in. Most of the time it occurs when I use > smartcard x.509 to login; but it also occasionally happens I use password to > login intially. It's not very consistent on the failures. The only way to > login AFTER that is to annoyingly reboot or console in as root and start a > kerberos session. > > The IPA server is using an external CA. On the client, the CA certs on the > smartcard are in /etc/pki/nssdb. The chain is Root CA -> ID Intermediate CA > -> x.509 cert on token. All the CA's are external. The token cert did > validate when using the Root Ca and ID CA certs tacked together for the > CAfile in `openssl verify`. I added the following to the sssd.conf: > > =============================== > [domain/mydomain.com] > debug_level = 8 > account_cache_expiration = 5 > entry_cache_timeout = 28800 > > [pam] > debug_level = 8 > offline_credentials_expiration = 5 > ===============================
Hi, did you add logs with debug_level=8 to the case you have mentioned? If yes, please let me know the case number so that I can have a look. If not, please send the logs. If you prefer to not share them on this list feel free to send them to me directly. bye, Sumit > > "pam_cert_auth = True" is in the PAM sect. I did run the script from the > `ipa-advise` client-smart_card_script. > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
