On Wed, Sep 09, 2020 at 01:56:23PM +0000, Jan Ufnalski via FreeIPA-users wrote:
>
>Configuration: OS:Kubuntu 20.04 LTS, Yubikey 5 with PIV, sssd version: 2.2.3-3, testing in terminal session without graphic interface to exclude problems from graphic interface
>In case when OTP is disabled and yubikey inserted, in login process I get correct prompt for smartcard pin.
>But when OTP is configured in IPA and yubikey inserted, instead getting prompt for smart card pin I get prompt for first factor and second factor.
>In /etc/sssd/sssd.conf [pam] section I have enabled pam_cert_auth. I attatch 2 logs from sssd, one with enabled and one with disabled otp.
>When I configured second computer the same way few weeks ago, everything works okey, but now I have to disable otp to make smartcard work correctly
Hi,
please add 'debug_level = 9' to the [domain/...] section of sssd.conf,
restart SSSD and run the tests again. The please send the domain log and
krb5_child.log.
bye,
Sumit
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>#
># /etc/pam.d/common-auth - authentication settings common to all services
>#
># This file is included from other service-specific PAM config files,
># and should contain a list of the authentication modules that define
># the central authentication scheme for use on the system
># (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
># traditional Unix authentication mechanisms.
>#
># As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
># To take advantage of this, it is recommended that you configure any
># local modules either before or after the default block, and use
># pam-auth-update to manage selection of other modules. See
># pam-auth-update(8) for details.
># here are the per-package modules (the "Primary" block)
>auth [default=1 success=ok] pam_localuser.so
>auth [success=2 default=ignore] pam_unix.so nullok_secure
>#auth [success=1 default=ignore] pam_sss.so use_first_pass
>auth sufficient pam_sss.so forward_pass prompt_always # here's the fallback if no module succeeds
>auth requisite pam_deny.so
># prime the stack with a positive return value if there isn't one already;
># this avoids us returning an error just because nothing sets a success code
># since the modules above will each just jump around
>auth required pam_permit.so
># and here are more per-package modules (the "Additional" block)
>auth optional pam_cap.so
># end of pam-auth-update config
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>
>
>Jan Ufnalski