On Mon, May 11, 2020 at 07:56:02PM -0000, David Woods via FreeIPA-users wrote:
I'm trying to setup smart card login into an AD user account
ID Override on RHEL 7.8. I have been looking through Red Hat's
documentation and its a bit confusing. I was wondering what is the
proper way to export a certificate from my CAC PIV card ? I have
been just exporting the certificate in PEM format from the ESC tool
and importing it into IDM web GUI. But SSSD isn't able to associate
the smart card with the AD user. When I run the ipa certmap-match
command, it will match to the AD account that I configured with the
ID Override. I was also wondering if I need pam_pkcs11 and pam_krb5
a working 'ipa certmap-match' is a good first step, since this command
will reach out to SSSD to do the mapping.
installed anymore ? When I uninstall pam_pkcs11, GDM doesn't
pam_pkcs11 and pam_krb5 are not needed anymore.
prompt me for my smart card PIN. I was looking at the
"config-client-for-smart-card-auth" script and it removes the
pam_pkcs11 RPM, that's why I am asking.
Did you run the script as well on the IPA client where you want to use
Smartcard authentication? Besides removing pam_pkcs11 and pam_krb5 there
are other important steps like adding CA certificate to /etc/pki/nssdb,
reconfiguring PAM to use pam_sss instead of the other 2 pam modules,
configuring SSSD to allow Smartcard authentication etc. So please run
the script or, if you prefer, do the steps in the script manually.
If this still does not help, please add 'debug_level = 9' to the [pam]
and [domain/...] sections of sssd.conf, restart SSSD, try again and send
the SSSD logs and the pam related content from /var/log/secure from
about the time of the test.
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines