So, I created a Red Hat ticket to assist and the support is pretty non-productive.
I have a RHEL 7 "Workstation" setup as an IPA client that most of the time works. However, there are occasions when the screen locks out due to inactivity that I can't log back in. Most of the time it occurs when I use smartcard x.509 to login; but it also occasionally happens I use password to login intially. It's not very consistent on the failures. The only way to login AFTER that is to annoyingly reboot or console in as root and start a kerberos session.
The IPA server is using an external CA. On the client, the CA certs on the smartcard are in /etc/pki/nssdb. The chain is Root CA -> ID Intermediate CA -> x.509 cert on token. All the CA's are external. The token cert did validate when using the Root Ca and ID CA certs tacked together for the CAfile in `openssl verify`. I added the following to the sssd.conf:
=============================== [domain/mydomain.com] debug_level = 8 account_cache_expiration = 5 entry_cache_timeout = 28800
[pam] debug_level = 8 offline_credentials_expiration = 5 ===============================
"pam_cert_auth = True" is in the PAM sect. I did run the script from the `ipa-advise` client-smart_card_script.
freeipa-users@lists.fedorahosted.org