Hello, pam.d/system-auth
auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so try_cert_auth pam.d/smartcard-auth auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet auth sufficient pam_sss.so ignore_authinfo_unavail require_cert_auth auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so etc/sssd/sssd.conf [sssd] services = nss, pam domains = files [nss] [pam] pam_cert_auth = True pam_cert_db_path = /etc/sssd/pki/<cert>.pem debug_level = 4 [domain/files] id_provider = files [certmap/files/<user>] matchrule = <EKU>msScLogin<SUBJECT>^.*,UID=<user>,.*$ gdm.d/greeter-login enable-smartcard-authentication=true enable-fingerprint-authentication=false enable-password-authentication=false Reboot and get Card PIN user prompt gdm-login-greeter -> add username and click next Get Prompted for PIN but after a second it just fails and goes back to asking for username. Has anyone run into this behaviour, suggestions, fix? Seems to be a reoccurring issue I have seen in +F28, +CentOS7 and +RHEL7 basically anything with obsolete coolkey pkcs11 authconfig. Thanks, Brad _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org