On Thu, Oct 31, 2019 at 04:38:23PM +0000, Zynda, Bradley V. (GSFC-423.0)[ADNET SYSTEMS INC] wrote: > Hello, > > pam.d/system-auth > > auth [success=done authinfo_unavail=ignore ignore=ignore default=die] > pam_sss.so try_cert_auth > > pam.d/smartcard-auth > > auth [default=1 ignore=ignore success=ok] pam_succeed_if.so > uid >= 1000 quiet > auth sufficient pam_sss.so > ignore_authinfo_unavail require_cert_auth > auth required pam_deny.so > > account required pam_unix.so > account sufficient pam_localuser.so > account sufficient pam_succeed_if.so > uid < 1000 quiet > account [default=bad success=ok user_unknown=ignore] pam_sss.so > account required pam_permit.so > > session optional pam_keyinit.so revoke > session required pam_limits.so > -session optional pam_systemd.so > session [success=1 default=ignore] pam_succeed_if.so > service in crond quiet use_uid > session required pam_unix.so > session optional pam_sss.so > > > etc/sssd/sssd.conf > [sssd] > services = nss, pam > domains = files > > [nss] > > [pam] > pam_cert_auth = True > pam_cert_db_path = /etc/sssd/pki/<cert>.pem > debug_level = 4 > > [domain/files] > id_provider = files > > [certmap/files/<user>] > matchrule = <EKU>msScLogin<SUBJECT>^.*,UID=<user>,.*$ > > > gdm.d/greeter-login > enable-smartcard-authentication=true > enable-fingerprint-authentication=false > enable-password-authentication=false > > > Reboot and get Card PIN user prompt gdm-login-greeter -> add username and > click next > > Get Prompted for PIN but after a second it just fails and goes back to asking > for username. > > Has anyone run into this behaviour, suggestions, fix?
Hi, does it work with other services than gdm, like e.g. the console login or su? Can you send the SSSD debug logs? You currently have 'debug_level = 4' in the [pam] section. This might help for a start but it might help to avoid some round-trips if you can set 'debug_level = 9' to the [pam] and [domain/files] section, restart SSSD and run the login test again before sending the logs. bye. Sumit > > Seems to be a reoccurring issue I have seen in +F28, +CentOS7 and +RHEL7 > basically anything with obsolete coolkey pkcs11 authconfig. > > Thanks, > Brad > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
