---- Sumit Bose <sb...@redhat.com> wrote: 
> On Fri, Feb 03, 2017 at 09:33:13AM +0100, Sumit Bose wrote:
> On Thu, Feb 02, 2017 at 11:03:28AM -0800, spammewo...@cox.net wrote:
> > I am running an IPA server (4.4.0) on RHEL 7.3 which is integrated with a 
> > Windows Active Directory server.   I am trying to configure the IPA server 
> > to allow the Active Directory Users to log into Gnome with a CAC smart 
> > card.  I’m having a hard time finding any instructions on how to do this.  
> > The problem I’m having is the Common Name from the smart card is not 
> > getting associated with the Active Directory account.  I added the 
> > certificate from the smart card to the IPA server by creating a User ID 
> > override for the AD user account.  I made sure to not use authconfig to 
> > configure smart cards and I added ifp to the services line in the sssd.conf 
> > file.
> > 
> > I have the following packages installed:
> > ipa-admintools.noarch   4.4.0-14.el7_3.4                                    
> >                 
> > ipa-client.x86_64   4.4.0-14.el7_3.4                                        
> >                 
> > ipa-client-common.noarch   4.4.0-14.el7_3.4                                 
> >               
> > ipa-common.noarch   4.4.0-14.el7_3.4                                        
> >           
> > ipa-python-compat.noarch   4.4.0-14.el7_3.4                                 
> >                 
> > ipa-server.x86_64   4.4.0-14.el7_3.4                                        
> >                 
> > ipa-server-common.noarch   4.4.0-14.el7_3.4                                 
> >                 
> > ipa-server-dns.noarch  4.4.0-14.el7_3.4
> > ipa-server-trust-ad.x86_64  4.4.0-14.el7_3.4
> > 
> > I can log in with AD user accounts that are configured with UserName and 
> > Passswords, so I know that the integration is working.   When I try to log 
> > into GDM with my smart card,  I don’t get prompted for a PIN number.  It 
> > only asks for the password from the AD account.   
> Please have a look at the steps described in
> https://bugzilla.redhat.com/show_bug.cgi?id=1300420#c9 . Please let me
> know if you run into issues.

Please also check if you followed the steps in



Hello Sumit,
I followed the instructions in comment #9.    I modified the 
/etc/pam.d/smartcard-auth file and the two files that are under 
/etc/dconf/db/distro.d/.   But it still doesn't work.   GDM will prompt me for 
a password not the PIN when I plug in the smart card.    Do I need to run 
"authconfig --enablesmartcard --smartcardmodule=no_module --update" before I 
change the files ?    Should I remove pam_pkcs11 too ?    I have been able to 
get AD smart card login working using standard authconfig, pam_pkcs11, and the 
cn_map.    I just don't want to use the cn_map file and have to list all of my 
user's "Common Names" in this file.

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to