Discussion:
[Freeipa-users] Enabling smart card on GDM manually.
Michael Rainey (Contractor)
2016-02-03 18:52:01 UTC
Permalink
Hello,

How does one manually enable smart card login on GDM without using the
authconfig command? I've tried using gsettings and dconf-editor. The
"enable-smartcard-authentication" seems to locked at false.

Sumit suggested to not use authconfig to enable smartcard login, because
it tweaks the pam configuration to the point that an IPA client is
unable to authenticate using the smartcard.

Any suggestions?
--
*Michael Rainey*
NRL 7320
Computer Support Group
Building 1009, Room C156
Stennis Space Center, MS 39529
Michael Rainey (Contractor)
2016-02-03 19:14:20 UTC
Permalink
Please disregard this message. I discovered the answer after the
message was sent.

There is a locks file in /etc/dconf/db/distro.d/locks. I edited the
/etc/dconf/db/distro.d/10-authconfig and rebooted. It is recognizing
the smartcard now.

*Michael Rainey*
NRL 7320
Computer Support Group
Building 1009, Room C156
Stennis Space Center, MS 39529
Post by Michael Rainey (Contractor)
Hello,
How does one manually enable smart card login on GDM without using the
authconfig command? I've tried using gsettings and dconf-editor. The
"enable-smartcard-authentication" seems to locked at false.
Sumit suggested to not use authconfig to enable smartcard login,
because it tweaks the pam configuration to the point that an IPA
client is unable to authenticate using the smartcard.
Any suggestions?
--
*Michael Rainey*
NRL 7320
Computer Support Group
Building 1009, Room C156
Stennis Space Center, MS 39529
Sumit Bose
2016-02-03 21:47:12 UTC
Permalink
Please disregard this message. I discovered the answer after the message
was sent.
There is a locks file in /etc/dconf/db/distro.d/locks. I edited the
/etc/dconf/db/distro.d/10-authconfig and rebooted. It is recognizing the
smartcard now.
Don't switch on the Smartcard support in gdm, if will force gdm to use
pam_krb5 and pam_pkcs11. Just use the default configuration after
running ipa-client-install and add 'pam_cert_auth = True' to the [pam]
section of sssd.conf.

If now a user tries to login via gdm or the console and has a Smartcard
inserted which has a certificate which matches the one in the user entry
on the IPA server SSSD will not ask for a password but for the Smartcard
PIN.

HTH

bye,
Sumit
*Michael Rainey*
NRL 7320
Computer Support Group
Building 1009, Room C156
Stennis Space Center, MS 39529
Post by Michael Rainey (Contractor)
Hello,
How does one manually enable smart card login on GDM without using the
authconfig command? I've tried using gsettings and dconf-editor. The
"enable-smartcard-authentication" seems to locked at false.
Sumit suggested to not use authconfig to enable smartcard login, because
it tweaks the pam configuration to the point that an IPA client is unable
to authenticate using the smartcard.
Any suggestions?
--
*Michael Rainey*
NRL 7320
Computer Support Group
Building 1009, Room C156
Stennis Space Center, MS 39529
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Loading...