orionp was having issues enabling smartcard support. He said it was still enabling pam_pkcs11 following ipa-advise:
authconfig --enablesmartcard --smartcardmodule=sssd --updateall
He said that following Sumit's suggestion in https://bugzilla.redhat.com/show_bug.cgi?id=1378943#c12 worked:
authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=sssd --smartcardaction=0 --updateall
ipa-server-4.5.0-22.sl7_4.x86_64
Hello Rob I suppose there are 2 issues. 1st '# ipa-advise config-client-for-smart-card-auth ' should return authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=sssd --smartcardaction=0 --updateall
2nd After running above authconfig command, pam_pkcs11 should be removed, which I found is still not getting removed.
Please correct If I am misinterpreting.
I believe we can only address the first issue. If authconfig is not removing pam_pkcs11 when SSSD is the smartcard handler then a bug against authconfig will need to be opened.
What do you mean by 'pam_pkcs11 should be removed'? Remove the rpm package pam_pkcs11 or remove pam_pkcs11 lines from the PAM configuration in /etc/pam.d ?
Authconfig can only do the latter.
@sbose Its removing rpm package. Since script has this if statement.
But still pam_pkcs11 is not removed. '# ipa-advise config-client-for-smart-card-auth' .............. rpm -qi pam_pkcs11 > /dev/null if [ "$?" -eq "0" ] then yum remove -y pam_pkcs11 fi .................
PR:https://github.com/freeipa/freeipa/pull/1469
hm, have you tried to run the script with 'bash -x' to see what it is doing?
Have you called 'kinit admin' before running the script?
@sbose, @pbrezina - I wonder how this changes with the authselect. I suspect we would need to fix ipa-advise and check if it still works with authselect.
Yes, to enable sssd smartcard you need to also set --enablesssdauth. In authselect, this would be just:
authselect select sssd with-smartcard
And manually set pam_cert_auth.
pam_cert_auth
Metadata Update from @rcritten: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1540361
Issue linked to Bugzilla: Bug 1540361
Metadata Update from @rcritten: - Issue priority set to: critical - Issue set to the milestone: FreeIPA 4.6.4
Metadata Update from @frenaud: - Issue set to the milestone: FreeIPA 4.5 (was: FreeIPA 4.6.4)
master:
ipa-4-5:
ipa-4-6:
Metadata Update from @frenaud: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.