After a successful login with smart card on RHEL 7, the smart card pin will no longer work after the screen is locked until the "Log in as another User" button is selected. The "Log in as another User
" button has to be selected in order for the smart card pin authentication to work again. The problem persists even after upgrading to RHEL 7.4 or higher per KB-7415
After the release of RHEL 7.4, an issue was identified where when a screen unlock is done, the username is set in the PAM context by GNOME and will trigger the pam_pkcs11 mapper to verify the certificate alt UPN name matches the username set in the PAM context. The pkcs11 mapper tries to directly compare the alt UPN to the user on the card, which does not match. Therefore, the screen is unable to be unlocked via the smart card pin after it has been locked.
When "Log in as another user" is selected, GNOME will clear up the PAM context user name and do a plain user search as if the user were logging in for the first time at the Console. As long as there is a certificate with a valid UPN, it will get passed to pkinit to derive the user. If the pkinit is successful, it will know which unix user the card belongs to and will set the unix username back in the PAM context.Resolution:
This issue is fixed in the Centrify Suite 2018 (5.5.0) release.