On (07/06/16 13:36), Jakub Hrozek wrote: >On Tue, Jun 07, 2016 at 12:18:17PM +0200, Jakub Hrozek wrote: >> On Mon, Jun 06, 2016 at 10:56:52AM +0200, Sumit Bose wrote: >> > On Fri, Jun 03, 2016 at 05:56:45PM +0200, Jakub Hrozek wrote: >> > > On Wed, Jun 01, 2016 at 06:31:29PM +0200, Sumit Bose wrote: >> > > > Hi, >> > > > >> > > > that attached two patches would allow to use the Smartcard support in >> > > > gdm with SSSD. To use it you should replace pam_pkcs11 in >> > > > /etc/pam.d/smartcard-auth in the auth section by >> > > > >> > > > auth sufficient pam_sss.so allow_missing_name >> > > > >> > > > and drop the password section completely. >> > > > >> > > > To enable the Smartcard support in gdm the easiest way is to use >> > > > dconf-editor: >> > > > >> > > > DCONF_PROFILE=gdm dconf-editor >> > > > >> > > > In the org/gnome/login-screen section you can switch the Smartcard >> > > > support on and off. Additionally you might want to tune the removal >> > > > action in org/gnome/settings-daemon/peripherals/smartcard . >> > > > >> > > > If now a Smartcard is inserted gdm should register it, call >> > > > /etc/pam.d/gdm-smartcard which calls /etc/pam.d/smartcard-auth without >> > > > a >> > > > user name. With the new option from the first patch pam_sss will accept >> > > > this and send it to the pam responder. The pam responder can handle >> > > > this >> > > > if Smartcard authentication is enabled, tries to read the certificate >> > > > from the Smartcard, tries to find and matching user and if successful, >> > > > returns the user name to pam_sss which puts it on the PAM stack and >> > > > continues with the authentication. >> > > > >> > > > It would be nice if someone can review the code even without testing >> > > > the >> > > > functionality. In this case I will ask someone else with access to >> > > > Smartcards and reader to do some functional testing. >> > > > >> > > > I think these patches are candidates for the pam wrapper based tests >> > > > Jakub has for review on the list. I'll start reviewing those and add >> > > > tests when they are in master. >> > > >> > > The code looks good to me with some minor nitpicks (see inline) but at >> > > least for me, the tests are failing: >> > > [ RUN ] test_pam_offline_chauthtok_prelim >> > > [ ERROR ] --- 0x2 != 0x3 >> > > [ LINE ] --- >> > > /home/remote/jhrozek/devel/sssd/src/tests/cmocka/test_pam_srv.c:641: >> > > error: Failure! >> > > [ FAILED ] test_pam_offline_chauthtok_prelim >> > > [ RUN ] test_pam_offline_chauthtok >> > > [ ERROR ] --- 0x2 != 0x3 >> > > [ LINE ] --- >> > > /home/remote/jhrozek/devel/sssd/src/tests/cmocka/test_pam_srv.c:641: >> > > error: Failure! >> > > [ FAILED ] test_pam_offline_chauthtok >> > > >> > > Do I need some other patches applied as well? >> > >> > Not that I'm aware of. So far I was not able to reproduce the error >> > locally not with CI >> > http://sssd-ci.duckdns.org/logs/job/44/49/summary.html . Do you maybe >> > have your pam wrapper patches applied to check for regressions? >> >> Of course this was the case :-) Good excuse to rebase my tests atop >> these patches.. > >ACK to both your patches by the way. master: * d86224608ff60ec5cc7e7cbf9e53d8a04e083530 * 325ed9f92f1ea1f348fd7913229faecf3dc1d40b
LS _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
