On Thu, Feb 02, 2017 at 11:03:28AM -0800, spammewo...@cox.net wrote:
> I am running an IPA server (4.4.0) on RHEL 7.3 which is integrated with a 
> Windows Active Directory server.   I am trying to configure the IPA server to 
> allow the Active Directory Users to log into Gnome with a CAC smart card.  
> I’m having a hard time finding any instructions on how to do this.  The 
> problem I’m having is the Common Name from the smart card is not getting 
> associated with the Active Directory account.  I added the certificate from 
> the smart card to the IPA server by creating a User ID override for the AD 
> user account.  I made sure to not use authconfig to configure smart cards and 
> I added ifp to the services line in the sssd.conf file.
> 
> I have the following packages installed:
> ipa-admintools.noarch   4.4.0-14.el7_3.4                                      
>               
> ipa-client.x86_64   4.4.0-14.el7_3.4                                          
>               
> ipa-client-common.noarch   4.4.0-14.el7_3.4                                   
>             
> ipa-common.noarch   4.4.0-14.el7_3.4                                          
>         
> ipa-python-compat.noarch   4.4.0-14.el7_3.4                                   
>               
> ipa-server.x86_64   4.4.0-14.el7_3.4                                          
>               
> ipa-server-common.noarch   4.4.0-14.el7_3.4                                   
>               
> ipa-server-dns.noarch  4.4.0-14.el7_3.4
> ipa-server-trust-ad.x86_64  4.4.0-14.el7_3.4
> 
> I can log in with AD user accounts that are configured with UserName and 
> Passswords, so I know that the integration is working.   When I try to log 
> into GDM with my smart card,  I don’t get prompted for a PIN number.  It only 
> asks for the password from the AD account.   

Please have a look at the steps described in
https://bugzilla.redhat.com/show_bug.cgi?id=1300420#c9 . Please let me
know if you run into issues.

HTH

bye,
Sumit

> 
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to