On Tue, Feb 02, 2016 at 01:42:35PM -0600, Michael Rainey (Contractor) wrote: > Okay. I haven't been able to get around this issue. I can log using my > username, my card is recognized by GDM and reads the card as expected, but I > am unable to login using my smartcard. From what I can see in the logs the > common name on my card doesn't match the username on my test account. > > Feb 2 13:00:05 cabildo gdm-smartcard]: pam_krb5[5152]: error resolving user > name '<SC-CommonName>' to uid/gid pair > Feb 2 13:00:05 cabildo gdm-smartcard]: pam_krb5[5152]: error getting > information about '<SC-CommonName> > Feb 2 13:00:06 cabildo gdm-smartcard]: pam_unix(gdm-smartcard:account): > could not identify user (from getpwnam(<SC-CommonName>)) > Feb 2 13:00:06 cabildo gdm-smartcard]: pam_sss(gdm-smartcard:account): > Access denied for user <SC-CommonName>: 10 (User not known to the underlying > authentication module) > Feb 2 13:00:06 cabildo gdm-smartcard]: pam_krb5[5152]: error resolving user > name '<SC-CommonName>' to uid/gid pair > Feb 2 13:00:13 cabildo gdm-smartcard]: pam_pkcs11(gdm-smartcard:auth): > pam_get_pwd() failed: Conversation error
Your pam configuration is wrong. I assume you used authconfig with the --enablesmartcard option. This will enable the "classical" Smartcard authentication scheme with pam_pkcs11 and pam_krb which out of the box won't work with FreeIPA. Please try to roll-back to a default PAM configuration with the --disablesmartcard option. After that gdm will hopefully use gdm-password instead of gdm-smartcard and let SSSD do the rest. HTH bye, Sumit > > Where do I go from here? > > *Michael Rainey* > NRL 7320 > Computer Support Group > Building 1009, Room C156 > Stennis Space Center, MS 39529 > On 02/02/2016 09:56 AM, Martin Kosek wrote: > >On 02/02/2016 04:49 PM, Michael Rainey (Contractor) wrote: > >>Greetings FreeIPA Community, > >> > >>I have been testing and working with the smart card login feature of the IPA > >>server, and have had some successes with this project. However, my latest > >>server/client setup isn't working as expected. I can where the problem is > >>occurring, which is the Common Name on the Card is not being mapped to the > >>proper attribute on the IPA server. So here's my question: Is there a howto > >>which explains how an where this mapping occurs? Is this something I can > >>configure myself, or is hard coded. > >At the moment, the Smart Card support present in SSSD looks up the user by > >searching with a blob containing the whole SC certificate. This BTW means > >that > >the certificate needs to be present at user entry in FreeIPA to make sure it > >matches, no other mapping mechanism is available yet. We have some plans > >though: > > > >http://www.freeipa.org/page/V4/User_Certificates#Certificate_Identity_Mapping > > > >If you are interested in HOWTOs, Nathan Kinder put together pretty neat blog > >posts how to make Smart Card authentication working: > > > >http://www.freeipa.org/page/V4/User_Certificates#References > > > >HTH, > >Martin > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
