Greetings,

I have been working on an issue with smart card logins on a Fedora 25 system. For a short time smart card logins have been working well, but suddenly the login process has suddenly stopped working. I have verified that all appropriate certificates are installed, checked my dconf configuration, checked my PAM files, and reviewed the logs. I have noticed a few issues, but changing them to match my SL7 systems did not resolve the problem.


My observation has been with my PAM files and authconfig. I have noticed that when an update occurs, authconfig will run changing my PAM files. Has IPA been integrated with authconfig or do I still need to keep the options in authconfig largely disabled and manually modify my PAM files?

System Information:

------------------------------------------------------------------------
Package:
freeipa-client.x86_64    4.4.3-2.fc25

PAM:
-------------------------------------
smartcard-auth-ac
-------------------------------------
auth        required      pam_env.so
auth        sufficient    pam_sss.so allow_missing_name
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so


session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so

-------------------------------------
password-auth-ac
-------------------------------------
auth        required      pam_env.so
auth        [default=1 success=ok] pam_localuser.so
auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_sss.so forward_pass
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so

-------------------------------------
DCONF: org.gnome.login-screen
-------------------------------------
org.gnome.login-screen fallback-logo ''
org.gnome.login-screen disable-user-list false
org.gnome.login-screen allowed-failures 3
org.gnome.login-screen enable-smartcard-authentication true
org.gnome.login-screen banner-message-enable false
org.gnome.login-screen enable-password-authentication true
org.gnome.login-screen disable-restart-buttons false
org.gnome.login-screen logo '/usr/share/pixmaps/fedora-gdm-logo.png'
org.gnome.login-screen enable-fingerprint-authentication true
org.gnome.login-screen banner-message-text ''

--
*Michael Rainey*
Network Representative
Naval Research Latoratory, Code 7320
Building 1009, Room C156
Stennis Space Center, MS 39529

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to