On Fri, Mar 18, 2016 at 10:53:08AM -0500, Michael Rainey (Contractor) wrote:
> Hi Sumit,
> It has been a week and I am following up with you on the lock screen issue.
> Have you had any progress? If so, I am hoping implementing the fix will be
> quick and easy.
Thank you for your patience. Please find a test build for RHEL/CentOS
7.2 at https://koji.fedoraproject.org/koji/taskinfo?taskID=13412048 .
Besides the updated version of SSSD you should replace
======== /etc/pam.d/smartcard-auth =========
auth required pam_env.so
auth sufficient pam_sss.so allow_missing_name
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet
session required pam_unix.so
session optional pam_sss.so
===== /etc/dconf/db/distro.d/10-authconfig =====
====== /etc/dconf/db/distro.d/locks/10-authconfig-locks ===
and call 'dconf update' to get the new setting loaded. Finally it might
be a good idea to restart gdm to make sure the new setting and PAM
configuration is really active although I would expect that gdm is able
to pick up the changes at run-time.
Any feedback, good or bad, is welcome.
> *Michael Rainey*
> On 03/11/2016 02:32 AM, Sumit Bose wrote:
> >On Thu, Mar 10, 2016 at 01:36:15PM -0600, Michael Rainey (Contractor) wrote:
> >>I have been adding systems to my new domain and utilizing the smart card
> >>login feature. To date the smart card login feature is working very well.
> >>However, my group has been trying to implement locking the screen when the
> >>smart card is removed, but have not been successful at making it work. Does
> >>anyone have any suggestions as to what it would take to enable locking the
> >>screen when the smart card is removed.
> >This requires a better integration with gdm which is currently WIP
> >(https://fedorahosted.org/sssd/ticket/2941). If you don't mind please
> >ping me in about a week about this again, then I might have done some
> >more testing.
> >>Thank you in advance.
> >>*Michael Rainey*
> >>Manage your subscription for the Freeipa-users mailing list:
> >>Go to http://freeipa.org for more info on the project
> Manage your subscription for the Freeipa-users mailing list:
> Go to http://freeipa.org for more info on the project
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project