Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-4773: sctool -s command we get "Cannot determine Centrify Smart Card status"

Authentication Service ,  

20 July,16 at 03:08 PM

Applies to:
 
All versions of Centrify DirectControl
 
Question:
 
When running sctool -s command, the following message occurs
 
 "Cannot determine Centrify Smart Card status. Make sure that Centrify is installed correctly and this computer is joined a domain correctly, or contact a system administrator." 
 
When running sctool -e and response was "Starting PC/SC smart card daemon (pcscd)". 
 
The card reader is ACS ACR3801. 
 
All packages were verified and installed from the Centrify website link https://www.centos.org/docs/5/html/5.2/Deployment_Guide/sso-sc-config.html.
 
System was rebooted too. 
 
Running "dmesg" command showed device loading configuration for smart card reader. 
 
Answer:
 
The issue is that in /etc/pam.d/kscreensaver, the customer had this line:
 
auth    include system-auth try_first_pass
 
instead of what we expect which is:
 
auth    include system-auth
 
Basically our pam stack modifier doesn't recognize any lines in kscreensaver and says that the status of the kscreensaver pam file is unknown and so
sctool exits out and doesn't make any modifications to any pam lines in any of the files.
 
Centrify verified that on a RHEL 6.5 VM with KDE desktop, the "try_first_pass entry" is not included in the /etc/pam.d/kscreensaver file. It was added manually.
 
auth include system-auth

Note: 

This also applies to /etc/pam.d/gnome-screensaver

Related Articles

 articleKB-8538: After Enabling Smartcard, sctool -s Gives the Error "Cannot determine Centrify Smart Card status" articleKB-6041: How to show current license type in use by adclient articleKB-6040: How to change the license type in use after adclient successful joined to the AD? articleKB-3242: sctool commands for Centrify smart card support articleKB-6073: How to join the Linux/Unix Centrify Server to Active Directory with specific Computer Role? articleKB-6056: How to report the group policy settings that are in effect for the local computer? articleKB-6038: How to specify the license type to use when joining the server to AD using adjoin? articleKB-3415: How to enable Smart Card logon support on RedHat environments articleKB-4139: How to support a 3rd party PKCS#11 module other than the Coolkey module shipped for RedHat