Learn more about these different git repos.
Other Git URLs
It looks like sssd does not support KDE (or vice-versa ?) for smartcard authentication:
(Thu Jul 19 15:28:20 2018) [sssd[pam]] [may_do_cert_auth] (0x0020): Smartcard authentication for service [kde] not supported.
What needs to be done to get this to work?
This happens when trying to unlock the screen in KDE.
Also, looks like plasma (Fedora28) uses "kde" above. In EL7, KDE4, it uses the kscreensaver service.
The list of services is currently hard-coded:
bool may_do_cert_auth(struct pam_ctx *pctx, struct pam_data *pd) { size_t c; const char *sc_services[] = { "login", "su", "su-l", "gdm-smartcard", "gdm-password", "kdm", "sudo", "sudo-i", "gnome-screensaver", NULL }; ... /* TODO: make services configurable */ if (pd->service == NULL || *pd->service == '\0') { return false; } for (c = 0; sc_services[c] != NULL; c++) { if (strcmp(pd->service, sc_services[c]) == 0) { break; } } if (sc_services[c] == NULL) { DEBUG(SSSDBG_CRIT_FAILURE, "Smartcard authentication for service [%s] not supported.\n", pd->service); return false; }
Pull request https://github.com/SSSD/sssd/pull/620 is supposed to provide a configurable way to set the list of the PAM services allowed to authenticate with smartcards.
I built a custom version with kde and kscreensaver added to the list. This allows F28 kscreenlocker to unlock via the PIN (although not with the password). I guess it will need to grow support to distinguish between the two (filed https://bugs.kde.org/show_bug.cgi?id=396703), but at least the basic functionality works.
This issue was fixed with #2926 by commit 93caaf2.
Closing this ticket as duplicate.
Metadata Update from @sbose: - Issue close_status updated to: duplicate - Issue status updated to: Closed (was: Open)
I only have one question - since the new option was added to 2.0 only and it might take some time until 2.0 makes its way into the distributions, would it be a good idea to backport the patch to 1.16.x so it can be more easily applied to e.g. supported fedora releases?
It was pushed before we branched the 2.0, so it's already part of the sssd-1-16 branch (IOW, no need to backport). The build done Today by @mzidek already included this fix for f27 and f28 (which are using 1.16.3 + patches).
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/4781
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.