Hello Rob
I suppose there are 2 issues.
1st
'# ipa-advise config-client-for-smart-card-auth '
should return
authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=sssd --smartcardaction=0 --updateall

2nd After running above authconfig command, pam_pkcs11 should be removed, which I found is still not getting removed.

Please correct If I am misinterpreting.

I believe we can only address the first issue. If authconfig is not removing pam_pkcs11 when SSSD is the smartcard handler then a bug against authconfig will need to be opened.

What do you mean by 'pam_pkcs11 should be removed'? Remove the rpm package pam_pkcs11 or remove pam_pkcs11 lines from the PAM configuration in /etc/pam.d ?

Authconfig can only do the latter.

@sbose
Its removing rpm package. Since script has this if statement.

But still pam_pkcs11 is not removed.
'# ipa-advise config-client-for-smart-card-auth'
..............
rpm -qi pam_pkcs11 > /dev/null
if [ "$?" -eq "0" ]
then
yum remove -y pam_pkcs11
fi
.................

PR:https://github.com/freeipa/freeipa/pull/1469

hm, have you tried to run the script with 'bash -x' to see what it is doing?

Have you called 'kinit admin' before running the script?

@sbose, @pbrezina - I wonder how this changes with the authselect. I suspect we would need to fix ipa-advise and check if it still works with authselect.

Yes, to enable sssd smartcard you need to also set --enablesssdauth.
In authselect, this would be just:

authselect select sssd with-smartcard

And manually set pam_cert_auth.

Issue linked to Bugzilla: Bug 1540361

master:

• 6c81a2c ipa-advise for smartcards updated

ipa-4-5:

• c4b0577 ipa-advise for smartcards updated

ipa-4-6:

• 8595e34 ipa-advise for smartcards updated