On Thu, Sep 28, 2017 at 11:29:27AM -0400, Steve Weeks via FreeIPA-users wrote:
We have smartcards (PIV) working just fine on Fedora 25 with FreeIPA client version 4.4.4 (SSSD 1.14.2). However on Ubuntu 16.04, FreeIPA client 4.3.1, SSSD 1.13.4 the smartcard seems to be ignored.
The smartcard is readable using pkcs11-tools and pkcs15-tools on both systems.
On both systems sssd.conf contains: [pam] pam_cert_auth = True
I've turned the sssd logging up to 9 on both systems and it looks like p11_child is never called on the Ubuntu system. On the Ubuntu system p11_child.log is empty and there is no sign of it being started in the sssd_pam.log.
Any suggestions on what I should look at next?
How does your PAM configuration looks like? You have to make sure that pam_sss.so is the first module called for SSSD users. If pam_unix comes first it will ask for a Password and pass it on to pam_sss.so which will try password authentication in this case.
HTH
bye, Sumit
Thanks, Steve
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org