When using a userCertificate following instructions https://fy.blackhats.net.au/blog/html/2018/02/27/smartcards_and_you_how_to_make_them_work_on_fedora_rhel.html (except AD, not ldap). The userCertificate is not able to be accessed if the backend provider is offline.
This manfests in two ways. After a reboot, the provider requests a password, even if the CCID is connected. (not the pin for CCID auth)
# opensc-tool -l
# Detected readers (pcsc)
Nr. Card Features Name
0 No Alcor Micro AU9560 00 00
1 Yes Yubico Yubikey 4 OTP+U2F+CCID 01 00
If you move from online to offline IE suspend/resume, SSSD will infinite loop and will cause GDM to hang indefinitely.
This is rather easy to reproduce give the configuration.
sssd-1.16.2-1.1.x86_64 openSUSE tumbleweed
to comment on this ticket.
Copyright © 2014-2018 Red Hat
4.0.4 — Documentation