I’ll PM you the Case number. Please free to state informational information here for
others to learn.
On Jun 20, 2019, at 22:30, Sumit Bose via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> wrote:
On Fri, Jun 21, 2019 at 01:14:33AM -0000, Boyd Ako via FreeIPA-users wrote:
> So, I created a Red Hat ticket to assist and the support is pretty non-productive.
>
> I have a RHEL 7 "Workstation" setup as an IPA client that most of the time
works. However, there are occasions when the screen locks out due to inactivity that I
can't log back in. Most of the time it occurs when I use smartcard x.509 to login; but
it also occasionally happens I use password to login intially. It's not very
consistent on the failures. The only way to login AFTER that is to annoyingly reboot or
console in as root and start a kerberos session.
>
> The IPA server is using an external CA. On the client, the CA certs on the smartcard
are in /etc/pki/nssdb. The chain is Root CA -> ID Intermediate CA -> x.509 cert on
token. All the CA's are external. The token cert did validate when using the Root Ca
and ID CA certs tacked together for the CAfile in `openssl verify`. I added the following
to the sssd.conf:
>
> ===============================
> [
domain/mydomain.com]
> debug_level = 8
> account_cache_expiration = 5
> entry_cache_timeout = 28800
>
> [pam]
> debug_level = 8
> offline_credentials_expiration = 5
> ===============================
Hi,
did you add logs with debug_level=8 to the case you have mentioned? If
yes, please let me know the case number so that I can have a look. If
not, please send the logs. If you prefer to not share them on this list
feel free to send them to me directly.
bye,
Sumit
>
> "pam_cert_auth = True" is in the PAM sect. I did run the script from the
`ipa-advise` client-smart_card_script.
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Domo,
Boyd H. Ako
boyd.hanalei.ako(a)gmail.com
(424) 244-9653
“Coming together is a beginning. Keeping together is progress. Working together is
success.” -Henry Ford
PGP/GPG Public Key: