Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Undefined
Fix Version/s: None
Affects Version/s: rhel-8.1.0
Component/s: gnome-settings-daemon
Labels:

Pool Team:

sst_desktop
Sub-System Group:

ssg_desktop

Blocked:
False
Blocked Reason:

Hide

None

Show
None

Release Note Type:
If docs needed, set a value

Experience:
Architecture:

Unspecified
Bugzilla Bug:
RHBZ: 1796190

PX Impact Score:
PX Technical Impact:
PX Impact Range:
PX Priority Data:
PX Review Complete:
PX Scheduling Request:
SFDC Cases Counter:
SFDC Cases Links:

Description of problem:
GDM does not automatically prompt for password when smart card inserted. After inserting smart card, you must key in the user name before it reads the smart card.

Version-Release number of selected component (if applicable):

Red Hat Enterprise Linux 8.1
sssd-common-pac-2.2.0-19.el8.x86_64
sssd-krb5-2.2.0-19.el8.x86_64
pcsc-lite-1.8.23-3.el8.x86_64
sssd-2.2.0-19.el8.x86_64
sssd-nfs-idmap-2.2.0-19.el8.x86_64
gdm-3.28.3-22.el8.x86_64
sssd-ldap-2.2.0-19.el8.x86_64
pcsc-lite-devel-1.8.23-3.el8.x86_64
pcsc-lite-libs-1.8.23-3.el8.x86_64
sssd-krb5-common-2.2.0-19.el8.x86_64
sssd-ipa-2.2.0-19.el8.x86_64
sssd-kcm-2.2.0-19.el8.x86_64
pcsc-lite-ccid-1.4.29-3.el8.x86_64
sssd-client-2.2.0-19.el8.x86_64
sssd-proxy-2.2.0-19.el8.x86_64
sssd-common-2.2.0-19.el8.x86_64
sssd-ad-2.2.0-19.el8.x86_64
python3-sssdconfig-2.2.0-19.el8.noarch

How reproducible:
Consistently.

Steps to Reproduce:
Unable to reproduce using CAC card on front-line due to lack resources. A backline engineer was able to reproduce mostly using Yubikey.

Actual results:
When smart-card is inserted, user must be manually chosen before prompt is given.

Expected results:
When smart-card is inserted, user is detected and password prompt is given.

Additional info:
cat /etc/authselect/dconf-db

Generated by authselect on Thu Nov 21 10:48:15 2019
Do not modify this file manually.

[org/gnome/login-screen]
enable-smartcard-authentication=true
enable-fingerprint-authentication=false
enable-password-authentication=false

smart card readers in use:
Bus 002 Device 023: ID 076b:3022 OmniKey AG CardMan 3021
Bus 002 Device 024: ID 08e6:3437 Gemalto (was Gemplus) GemPC Twin SmartCard Reader
Bus 002 Device 025: ID 1050:0406 Yubico.com Yubikey 4 U2F+CCID
Bus 002 Device 026: ID 04e6:5814 SCM Microsystems, Inc.
Bus 002 Device 027: ID 058f:9540 Alcor Micro Corp. AU9540 Smartcard Reader

/etc/pam.d/smartcard-auth:

auth required pam_env.so
auth sufficient pam_sss.so forward_pass allow_missing_name
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so

session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so