Description of problem:
gdm calls for gdm-smartcard when smartcard authentication is not enabled
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Install ipa-client and enable smartcard login using sssd by making the following change in sssd.conf
pam_cert_auth = True
2. Trust the signing certs associated with the smartcard under /etc/pki/nssdb
3. Login using smartcard
4. Screen locks due to inactivity
5. login attempt prompts for pin
Auth should be successful
Seeing the following in /var/log/secure
Aug 30 11:48:00 dhcp129-53 gdm-smartcard]: pam_pkcs11(gdm-smartcard:auth): no valid certificate which meets all requirements found
/etc/dconf/db/distro.d/10-authconfig says enable-smartcard-authentication=false
How did you log in using smartcard if enable-smartcard-authentication=false ?
I think you must be missing steps in comment 0?
I might have an idea what is going on. For 7.3 I added a patch which set PKCS11_LOGIN_TOKEN_NAME when Smartcard authentication is used.
Ray, is it possible that the screen-saver will use gdm-smartcard whenever this environment variable is set without checking other options like the enable-smartcard-authentication dconf setting?
I'll prepare a test build which sets the variable only if SSSD was called from gdm-smartcard so that when gdm-password was used for the initial authentication, even with a Smartcard, the desktop components are not confused by the variable.
[root@dhcp129-34 ~]# rpm -qi sssd
Name : sssd
Version : 1.14.0
Release : 42.el7
Install Date: Sun 18 Sep 2016 12:54:23 PM EDT
Group : Applications/System
Size : 35147
License : GPLv3+
Signature : (none)
Source RPM : sssd-1.14.0-42.el7.src.rpm
Build Date : Fri 16 Sep 2016 09:48:09 AM EDT
Build Host : x86-039.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor : Red Hat, Inc.
URL : http://fedorahosted.org/sssd/
Summary : System Security Services Daemon
Executed the steps in the bug description, authentication was successful while unlocking the screen.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.