---- Sumit Bose <sb...@redhat.com> wrote: > On Fri, Feb 03, 2017 at 09:33:13AM +0100, Sumit Bose wrote: > On Thu, Feb 02, 2017 at 11:03:28AM -0800, spammewo...@cox.net wrote: > > I am running an IPA server (4.4.0) on RHEL 7.3 which is integrated with a > > Windows Active Directory server. I am trying to configure the IPA server > > to allow the Active Directory Users to log into Gnome with a CAC smart > > card. I’m having a hard time finding any instructions on how to do this. > > The problem I’m having is the Common Name from the smart card is not > > getting associated with the Active Directory account. I added the > > certificate from the smart card to the IPA server by creating a User ID > > override for the AD user account. I made sure to not use authconfig to > > configure smart cards and I added ifp to the services line in the sssd.conf > > file. > > > > I have the following packages installed: > > ipa-admintools.noarch 4.4.0-14.el7_3.4 > > > > ipa-client.x86_64 4.4.0-14.el7_3.4 > > > > ipa-client-common.noarch 4.4.0-14.el7_3.4 > > > > ipa-common.noarch 4.4.0-14.el7_3.4 > > > > ipa-python-compat.noarch 4.4.0-14.el7_3.4 > > > > ipa-server.x86_64 4.4.0-14.el7_3.4 > > > > ipa-server-common.noarch 4.4.0-14.el7_3.4 > > > > ipa-server-dns.noarch 4.4.0-14.el7_3.4 > > ipa-server-trust-ad.x86_64 4.4.0-14.el7_3.4 > > > > I can log in with AD user accounts that are configured with UserName and > > Passswords, so I know that the integration is working. When I try to log > > into GDM with my smart card, I don’t get prompted for a PIN number. It > > only asks for the password from the AD account. > > Please have a look at the steps described in > https://bugzilla.redhat.com/show_bug.cgi?id=1300420#c9 . Please let me > know if you run into issues.
Please also check if you followed the steps in https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/smart-cards.html HTH bye, Sumit -- Hello Sumit, I followed the instructions in comment #9. I modified the /etc/pam.d/smartcard-auth file and the two files that are under /etc/dconf/db/distro.d/. But it still doesn't work. GDM will prompt me for a password not the PIN when I plug in the smart card. Do I need to run "authconfig --enablesmartcard --smartcardmodule=no_module --update" before I change the files ? Should I remove pam_pkcs11 too ? I have been able to get AD smart card login working using standard authconfig, pam_pkcs11, and the cn_map. I just don't want to use the cn_map file and have to list all of my user's "Common Names" in this file. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
