Am Thu, Nov 14, 2024 at 01:47:17PM +0100 schrieb Winfried de Heiden via FreeIPA-users: > Hi all, > > I'm trying to get SmartCard authentication working. Using a "Aventra MyEID > PKI card" it all looks promising, the card is recognized, a private key and > FreeIPA signed cert is added to the card. > However, I cannot get sssd authentication to work. > > After "systemctl (re)start sssd.service" and a "sudo -l" it will take quite > a long time before the password prompt will show up, NOT the smartcard PIN > prompt. > Afterwards, searching the sss cache: > > ldbsearch -H /var/lib/sss/db/cache_blabla.bla.ldb [email protected] | > grep -i auth > lastOnlineAuth: 1731586997 > ~ > > Strangly, stopping sssd (systemctl stop sssd) and running sssd, as user > root, in the foreround (sssd -i -d3) it will work and sudo -l will ask for > the Smart Card PIN. > Afterwards, searching the sss cache: > ldbsearch -H /var/lib/sss/db/cache_blabla.bla.ldb [email protected] | > grep -i auth > > localSmartcardAuth: TRUE > localPasskeyAuth: FALSE > ~ > > Hence, it seems the smartcard and sssd are working but only sssd running in > the foreground! Rebooting the server, login to the console, stopping sssd > and running "sssd -i -d3" it all works perfectly: GDM login, sudo... > What could be causing this problem?
Hi, it would be good if you can send SSSD debug logs with `debug_level = 9` in the [pam] and [domain/...] section covering an authentication attempt when SSSD was started normally via systemctl. bye, Sumit > > FYI: > - Tested on RHEL 9.4 and Alma 9.4 > > - Thinkpad P14S with Alcor Micro Corp. AU9540 Smartcard Reader > > - MyEID 4.5 PKI card > > - SELinux Enforcing/Permissive: no difference > > > Kind regards, > > Winfried > -- > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
