Re: [Freeipa-users] Lock screen when Smart Card is removed.
Hi Sumit, Your test packages and configuration changes are working very well. I See no issues with the two machines on which the fixes were applied. The two systems are running Scientific LInux 7.2 and Centos 7.2. I will continue to perform more tests to see if there are any issues. I do have another question to ask you in the meantime. The question was asked, "How long would it take for these changes to make there way into the current repos?" Do you think it will take few weeks, or will we need to wait for the next point release? We are just trying to determine how to proceed in rolling out the packages. Thanks again, *Michael Rainey* On 03/24/2016 05:09 AM, Sumit Bose wrote: On Wed, Mar 23, 2016 at 12:25:50PM -0500, Michael Rainey (Contractor) wrote: Hi Sumit, I've trying to download the rpm via the Koji client and have been unable to locate package. Are there any extra steps I need to complete before I can find the package, such as, create an account in Fedora Build System. Performing a general search for SSSD only returns a list of packages from Fedora Projects and nothing from the EL repo. The link I sent is the meta link for the different supported platforms (x86_64, pcc64 and pcc64le). If you select the link for x86_64 you should be able to see download links for the x86_64 packages. Nevertheless I created a new build http://koji.fedoraproject.org/koji/taskinfo?taskID=13446490 to fix some issue with the package version number in the previous build. The x86_64 packages can be found at http://koji.fedoraproject.org/koji/taskinfo?taskID=13446491 . To make the download easy you can try the following command: curl http://koji.fedoraproject.org/koji/taskinfo?taskID=13446491 | grep -o '"https://.*.rpm;' | xargs -n 1 curl -L -O HTH bye, Sumit Thanks, *Michael Rainey* NRL 7320 Computer Support Group Building 1009, Room C156 Stennis Space Center, MS 39529 On 03/22/2016 07:25 AM, Sumit Bose wrote: On Fri, Mar 18, 2016 at 10:53:08AM -0500, Michael Rainey (Contractor) wrote: Hi Sumit, It has been a week and I am following up with you on the lock screen issue. Have you had any progress? If so, I am hoping implementing the fix will be quick and easy. Thank you for your patience. Please find a test build for RHEL/CentOS 7.2 at https://koji.fedoraproject.org/koji/taskinfo?taskID=13412048 . Besides the updated version of SSSD you should replace /etc/pam.d/smartcard-auth with /etc/pam.d/smartcard-auth = authrequired pam_env.so authsufficientpam_sss.so allow_missing_name authrequired pam_deny.so account required pam_unix.so account sufficientpam_localuser.so account sufficientpam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so === and /etc/dconf/db/distro.d/10-authconfig = /etc/dconf/db/distro.d/10-authconfig = [org/gnome/login-screen] enable-fingerprint-authentication=false [org/gnome/settings-daemon/peripherals/smartcard] removal-action='lock-screen' === and /etc/dconf/db/distro.d/locks/10-authconfig-locks == /etc/dconf/db/distro.d/locks/10-authconfig-locks === /org/gnome/login-screen/enable-fingerprint-authentication /org/gnome/settings-daemon/peripherals/smartcard === and call 'dconf update' to get the new setting loaded. Finally it might be a good idea to restart gdm to make sure the new setting and PAM configuration is really active although I would expect that gdm is able to pick up the changes at run-time. Any feedback, good or bad, is welcome. bye, Sumit Thanks, *Michael Rainey* On 03/11/2016 02:32 AM, Sumit Bose wrote: On Thu, Mar 10, 2016 at 01:36:15PM -0600, Michael Rainey (Contractor) wrote: Greetings, I have been adding systems to my new domain and utilizing the smart card login feature. To date the smart card login feature is working very well. However, my group has been trying to implement locking the screen when the smart card is removed, but have not been successful at making it work. Does anyone have any suggestions as to what it would take to enable locking the screen when the smart card is removed. This requires a better integration with gdm which is currently WIP (https://fedorahosted.org/sssd/ticket/2941). If you don't mind please ping me in about a week about this again, then I might have done some more testing. bye, Sumit Thank you in advance. -- *Michael Rainey* -- Manage your subscription for the Freeipa-users mailing list:
Re: [Freeipa-users] Lock screen when Smart Card is removed.
On Wed, Mar 23, 2016 at 12:25:50PM -0500, Michael Rainey (Contractor) wrote: > Hi Sumit, > > I've trying to download the rpm via the Koji client and have been unable to > locate package. Are there any extra steps I need to complete before I can > find the package, such as, create an account in Fedora Build System. > Performing a general search for SSSD only returns a list of packages from > Fedora Projects and nothing from the EL repo. The link I sent is the meta link for the different supported platforms (x86_64, pcc64 and pcc64le). If you select the link for x86_64 you should be able to see download links for the x86_64 packages. Nevertheless I created a new build http://koji.fedoraproject.org/koji/taskinfo?taskID=13446490 to fix some issue with the package version number in the previous build. The x86_64 packages can be found at http://koji.fedoraproject.org/koji/taskinfo?taskID=13446491 . To make the download easy you can try the following command: curl http://koji.fedoraproject.org/koji/taskinfo?taskID=13446491 | grep -o '"https://.*.rpm;' | xargs -n 1 curl -L -O HTH bye, Sumit > > Thanks, > > *Michael Rainey* > NRL 7320 > Computer Support Group > Building 1009, Room C156 > Stennis Space Center, MS 39529 > On 03/22/2016 07:25 AM, Sumit Bose wrote: > >On Fri, Mar 18, 2016 at 10:53:08AM -0500, Michael Rainey (Contractor) wrote: > >>Hi Sumit, > >> > >>It has been a week and I am following up with you on the lock screen issue. > >>Have you had any progress? If so, I am hoping implementing the fix will be > >>quick and easy. > >Thank you for your patience. Please find a test build for RHEL/CentOS > >7.2 at https://koji.fedoraproject.org/koji/taskinfo?taskID=13412048 . > > > >Besides the updated version of SSSD you should replace > >/etc/pam.d/smartcard-auth with > > > > /etc/pam.d/smartcard-auth = > >authrequired pam_env.so > >authsufficientpam_sss.so allow_missing_name > >authrequired pam_deny.so > > > >account required pam_unix.so > >account sufficientpam_localuser.so > >account sufficientpam_succeed_if.so uid < 1000 quiet > >account [default=bad success=ok user_unknown=ignore] pam_sss.so > >account required pam_permit.so > > > > > >session optional pam_keyinit.so revoke > >session required pam_limits.so > >-session optional pam_systemd.so > >session [success=1 default=ignore] pam_succeed_if.so service in crond > >quiet use_uid > >session required pam_unix.so > >session optional pam_sss.so > >=== > > > >and /etc/dconf/db/distro.d/10-authconfig > > > >= /etc/dconf/db/distro.d/10-authconfig = > >[org/gnome/login-screen] > >enable-fingerprint-authentication=false > > > >[org/gnome/settings-daemon/peripherals/smartcard] > >removal-action='lock-screen' > >=== > > > >and /etc/dconf/db/distro.d/locks/10-authconfig-locks > > > >== /etc/dconf/db/distro.d/locks/10-authconfig-locks === > >/org/gnome/login-screen/enable-fingerprint-authentication > >/org/gnome/settings-daemon/peripherals/smartcard > >=== > > > >and call 'dconf update' to get the new setting loaded. Finally it might > >be a good idea to restart gdm to make sure the new setting and PAM > >configuration is really active although I would expect that gdm is able > >to pick up the changes at run-time. > > > >Any feedback, good or bad, is welcome. > > > >bye, > >Sumit > > > >>Thanks, > >> > >>*Michael Rainey* > >> > >>On 03/11/2016 02:32 AM, Sumit Bose wrote: > >>>On Thu, Mar 10, 2016 at 01:36:15PM -0600, Michael Rainey (Contractor) > >>>wrote: > Greetings, > > I have been adding systems to my new domain and utilizing the smart card > login feature. To date the smart card login feature is working very well. > However, my group has been trying to implement locking the screen when the > smart card is removed, but have not been successful at making it work. > Does > anyone have any suggestions as to what it would take to enable locking the > screen when the smart card is removed. > >>>This requires a better integration with gdm which is currently WIP > >>>(https://fedorahosted.org/sssd/ticket/2941). If you don't mind please > >>>ping me in about a week about this again, then I might have done some > >>>more testing. > >>> > >>>bye, > >>>Sumit > >>> > Thank you in advance. > -- > *Michael Rainey* > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > >>-- > >>Manage your subscription for the Freeipa-users mailing list: > >>https://www.redhat.com/mailman/listinfo/freeipa-users > >>Go to http://freeipa.org for more info on the project > -- Manage your
Re: [Freeipa-users] Lock screen when Smart Card is removed.
Hi Sumit, I've trying to download the rpm via the Koji client and have been unable to locate package. Are there any extra steps I need to complete before I can find the package, such as, create an account in Fedora Build System. Performing a general search for SSSD only returns a list of packages from Fedora Projects and nothing from the EL repo. Thanks, *Michael Rainey* NRL 7320 Computer Support Group Building 1009, Room C156 Stennis Space Center, MS 39529 On 03/22/2016 07:25 AM, Sumit Bose wrote: On Fri, Mar 18, 2016 at 10:53:08AM -0500, Michael Rainey (Contractor) wrote: Hi Sumit, It has been a week and I am following up with you on the lock screen issue. Have you had any progress? If so, I am hoping implementing the fix will be quick and easy. Thank you for your patience. Please find a test build for RHEL/CentOS 7.2 at https://koji.fedoraproject.org/koji/taskinfo?taskID=13412048 . Besides the updated version of SSSD you should replace /etc/pam.d/smartcard-auth with /etc/pam.d/smartcard-auth = authrequired pam_env.so authsufficientpam_sss.so allow_missing_name authrequired pam_deny.so account required pam_unix.so account sufficientpam_localuser.so account sufficientpam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so === and /etc/dconf/db/distro.d/10-authconfig = /etc/dconf/db/distro.d/10-authconfig = [org/gnome/login-screen] enable-fingerprint-authentication=false [org/gnome/settings-daemon/peripherals/smartcard] removal-action='lock-screen' === and /etc/dconf/db/distro.d/locks/10-authconfig-locks == /etc/dconf/db/distro.d/locks/10-authconfig-locks === /org/gnome/login-screen/enable-fingerprint-authentication /org/gnome/settings-daemon/peripherals/smartcard === and call 'dconf update' to get the new setting loaded. Finally it might be a good idea to restart gdm to make sure the new setting and PAM configuration is really active although I would expect that gdm is able to pick up the changes at run-time. Any feedback, good or bad, is welcome. bye, Sumit Thanks, *Michael Rainey* On 03/11/2016 02:32 AM, Sumit Bose wrote: On Thu, Mar 10, 2016 at 01:36:15PM -0600, Michael Rainey (Contractor) wrote: Greetings, I have been adding systems to my new domain and utilizing the smart card login feature. To date the smart card login feature is working very well. However, my group has been trying to implement locking the screen when the smart card is removed, but have not been successful at making it work. Does anyone have any suggestions as to what it would take to enable locking the screen when the smart card is removed. This requires a better integration with gdm which is currently WIP (https://fedorahosted.org/sssd/ticket/2941). If you don't mind please ping me in about a week about this again, then I might have done some more testing. bye, Sumit Thank you in advance. -- *Michael Rainey* -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Lock screen when Smart Card is removed.
On Fri, Mar 18, 2016 at 10:53:08AM -0500, Michael Rainey (Contractor) wrote: > Hi Sumit, > > It has been a week and I am following up with you on the lock screen issue. > Have you had any progress? If so, I am hoping implementing the fix will be > quick and easy. Thank you for your patience. Please find a test build for RHEL/CentOS 7.2 at https://koji.fedoraproject.org/koji/taskinfo?taskID=13412048 . Besides the updated version of SSSD you should replace /etc/pam.d/smartcard-auth with /etc/pam.d/smartcard-auth = authrequired pam_env.so authsufficientpam_sss.so allow_missing_name authrequired pam_deny.so account required pam_unix.so account sufficientpam_localuser.so account sufficientpam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so === and /etc/dconf/db/distro.d/10-authconfig = /etc/dconf/db/distro.d/10-authconfig = [org/gnome/login-screen] enable-fingerprint-authentication=false [org/gnome/settings-daemon/peripherals/smartcard] removal-action='lock-screen' === and /etc/dconf/db/distro.d/locks/10-authconfig-locks == /etc/dconf/db/distro.d/locks/10-authconfig-locks === /org/gnome/login-screen/enable-fingerprint-authentication /org/gnome/settings-daemon/peripherals/smartcard === and call 'dconf update' to get the new setting loaded. Finally it might be a good idea to restart gdm to make sure the new setting and PAM configuration is really active although I would expect that gdm is able to pick up the changes at run-time. Any feedback, good or bad, is welcome. bye, Sumit > > Thanks, > > *Michael Rainey* > > On 03/11/2016 02:32 AM, Sumit Bose wrote: > >On Thu, Mar 10, 2016 at 01:36:15PM -0600, Michael Rainey (Contractor) wrote: > >>Greetings, > >> > >>I have been adding systems to my new domain and utilizing the smart card > >>login feature. To date the smart card login feature is working very well. > >>However, my group has been trying to implement locking the screen when the > >>smart card is removed, but have not been successful at making it work. Does > >>anyone have any suggestions as to what it would take to enable locking the > >>screen when the smart card is removed. > >This requires a better integration with gdm which is currently WIP > >(https://fedorahosted.org/sssd/ticket/2941). If you don't mind please > >ping me in about a week about this again, then I might have done some > >more testing. > > > >bye, > >Sumit > > > >>Thank you in advance. > >>-- > >>*Michael Rainey* > >>-- > >>Manage your subscription for the Freeipa-users mailing list: > >>https://www.redhat.com/mailman/listinfo/freeipa-users > >>Go to http://freeipa.org for more info on the project > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Lock screen when Smart Card is removed.
On Fri, Mar 11, 2016 at 09:20:06AM +0100, Martin Kosek wrote: > On 03/10/2016 08:36 PM, Michael Rainey (Contractor) wrote: > > Greetings, > > > > I have been adding systems to my new domain and utilizing the smart card > > login > > feature. To date the smart card login feature is working very well. > > However, > > my group has been trying to implement locking the screen when the smart > > card is > > removed, but have not been successful at making it work. Does anyone have > > any > > suggestions as to what it would take to enable locking the screen when the > > smart card is removed. > > > > Thank you in advance. > > Hi Michal, > > What system are you using? For Fedora/RHEL like systems, there is authconfig > that can set this up in PAM (--smartcardaction=0): > > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/smartcards.html#authconfig-smartcards-cmd authconfig will currently configure Smartcard authentication based on pam_pkcs11 and pam_krb5. It is not recommended to use it if you want to use Smartcard authentication with SSSD. bye, Sumit > > HTH, > Martin > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Lock screen when Smart Card is removed.
On Thu, Mar 10, 2016 at 01:36:15PM -0600, Michael Rainey (Contractor) wrote: > Greetings, > > I have been adding systems to my new domain and utilizing the smart card > login feature. To date the smart card login feature is working very well. > However, my group has been trying to implement locking the screen when the > smart card is removed, but have not been successful at making it work. Does > anyone have any suggestions as to what it would take to enable locking the > screen when the smart card is removed. This requires a better integration with gdm which is currently WIP (https://fedorahosted.org/sssd/ticket/2941). If you don't mind please ping me in about a week about this again, then I might have done some more testing. bye, Sumit > > Thank you in advance. > -- > *Michael Rainey* > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Lock screen when Smart Card is removed.
On 03/10/2016 08:36 PM, Michael Rainey (Contractor) wrote: > Greetings, > > I have been adding systems to my new domain and utilizing the smart card login > feature. To date the smart card login feature is working very well. However, > my group has been trying to implement locking the screen when the smart card > is > removed, but have not been successful at making it work. Does anyone have any > suggestions as to what it would take to enable locking the screen when the > smart card is removed. > > Thank you in advance. Hi Michal, What system are you using? For Fedora/RHEL like systems, there is authconfig that can set this up in PAM (--smartcardaction=0): https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/smartcards.html#authconfig-smartcards-cmd HTH, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Lock screen when Smart Card is removed.
Greetings, I have been adding systems to my new domain and utilizing the smart card login feature. To date the smart card login feature is working very well. However, my group has been trying to implement locking the screen when the smart card is removed, but have not been successful at making it work. Does anyone have any suggestions as to what it would take to enable locking the screen when the smart card is removed. Thank you in advance. -- *Michael Rainey* -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project