Back in March I contacted the mailing list in regard to a problem I was having with smartcards and screen locking. At that time I was provided a patch to implement to lock the screen when the smartcard was removed and it worked well. Today it looks like the patch may have made its way to the repo and I am starting to see some issues occuring on my test machines. When the smartcard is inserted into the reader a message flashes on the screen "That didn't work. Please try again." Also, it doesn't seem to prompt for a pin for the smartcard. It just shows the password field. Unfortunately, the logs didn't reveal much, I may need to tweak the debug level if more information is needed.

I grabbed the files from

I had to modify the smartcard-auth file to the following:

auth        required
auth        sufficient allow_missing_name
#auth [success=done ignore=ignore default=die] nodebug wait_for_card
auth        required

account     required
account     sufficient
account     sufficient uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore]
account     required

#password    required

session     optional revoke
session     required
-session     optional
session [success=1 default=ignore] service in crond quiet use_uid
session     required
session     optional

The dconf file /etc/dconf/db/distro.d/10-authconfig


and /etc/dconf/db/distro.d/locks/10-authconfig-locks


I'm currently running the following:

 * Scientific Linux 7.2 64bit
 * 4.2.0-15.sl7_2.17
 * GDM 3.14.2
 * GNOME Shell 3.14.4

Hopefully, I have given you enough information to work the problem. Have there been changes to the way freeIPA is configured for smartcard use?

*Michael Rainey*

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to