Greetings,

Back in March I contacted the mailing list in regard to a problem I was having with smartcards and screen locking. At that time I was provided a patch to implement to lock the screen when the smartcard was removed and it worked well. Today it looks like the patch may have made its way to the repo and I am starting to see some issues occuring on my test machines. When the smartcard is inserted into the reader a message flashes on the screen "That didn't work. Please try again." Also, it doesn't seem to prompt for a pin for the smartcard. It just shows the password field. Unfortunately, the logs didn't reveal much, I may need to tweak the debug level if more information is needed.


I grabbed the files from https://koji.fedoraproject.org/koji/taskinfo?taskID=13412048

I had to modify the smartcard-auth file to the following:

auth        required      pam_env.so
auth        sufficient    pam_sss.so allow_missing_name
#auth [success=done ignore=ignore default=die] pam_pkcs11.so nodebug wait_for_card
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

#password    required      pam_pkcs11.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so

The dconf file /etc/dconf/db/distro.d/10-authconfig

[org/gnome/login-screen]
enable-fingerprint-authentication=false

and /etc/dconf/db/distro.d/locks/10-authconfig-locks

/org/gnome/login-screen/enable-fingerprint-authentication

I'm currently running the following:

 * Scientific Linux 7.2 64bit
 * 4.2.0-15.sl7_2.17
 * GDM 3.14.2
 * GNOME Shell 3.14.4

Hopefully, I have given you enough information to work the problem. Have there been changes to the way freeIPA is configured for smartcard use?

Sincerely,
--
*Michael Rainey*

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to