Issue

ipa-advise config-client-for-smart-card-auth produces a shell script that should be run on IPA clients where we want to enable smart card authentication. After the migration to authselect instead of authconfig, this script does not completely configure SSSD and is missing the addition of

[pam]
pam_cert_auth=True

in /etc/sssd/sssd.conf

Steps to Reproduce

1. configure the machine as a FreeIPA client with ipa-client-install
2. generate the script on the server with kinit admin && ipa-advise config-client-for-smart-card-auth > /tmp/config-client-for-smart-card-auth.sh
3. copy the script on the client and execute it with sh /tmp/config-client-for-smart-card-auth.sh /path/to/CA.pem where CA.pem contains the cert for the authority that is signing the smart card certificates

Actual behavior

After the script execution, /etc/sssd/sssd.conf should contain pam_cert_auth=True but does not, thus preventing successful console/gnome login with a smart card.

Expected behavior

The script should also update /etc/sssd/sssd.conf

Version/Release/Distribution

master branch containing authselect code

Additional info:

Before the authselect migration, the script was containing the following call:
authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=sssd --smartcardaction=1 --updateall
With authselect, the script is containing the following call:
authselect enable-feature with-smartcard
but the help for authselect show sssd specifies the following:

with-smartcard::
    Enable authentication with smartcards through SSSD. Please note that
    smartcard support must be also explicitly enabled within
    SSSD's configuration.

meaning that the step updating sssd.conf needs to be done separately.