Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-8538: After Enabling Smartcard, sctool -s Gives the Error "Cannot determine Centrify Smart Card status"

Authentication Service ,  

12 April,17 at 04:54 PM

Applies to:

All versions of Centrify DirectControl 
 
Problem: 
  
To enable the Smartcard, the following command is run and returns without any error
# sctool -e

When sctool -s is executed to determine the status of Smartcard, the message is returned:
  
Cannot determine Centrify Smart Card status. Make sure that Centrify is installed correctly and this computer is joined a domain correctly, or contact a system administrator

Cause:
  
The sctool -e command did not make the neccessary changes in /etc/pam.d/smartcard-auth file.

Before sctool -e the /etc/pamd.d/smartcard-auth files look similar to:
 
User-added image

After sctool -e, the changes made are seen in the image below:
  
User-added image

Although the links and files are created correctly, the content of smartcard-auth does not have the changes required to enable Smartcard.  A correct smartcard-auth file will have entries such as see here:
 
User-added image

If these entries are missing the sctool -s will fail.

The debug logfile has these entries:
 
Apr 07 17:29:40 rhel732 sctool[123025]: DEBUG redhat.sctool Reset PKCS #11 module to our own Coolkey module.
Apr 07 17:29:40 rhel732 sctool[123025]: DEBUG redhat.sctool In doStatus()
Apr 07 17:29:40 rhel732 sctool[123025]: DEBUG redhat.sctool doStatus() on [/etc/pam.d/smartcard-auth]: 3
Apr 07 17:29:40 rhel732 sctool[123025]: DEBUG redhat.sctool doStatus() : Returning 3

When the value of 3 is returned from doStatus(), this identifies the file that causes the sctool to throw the message.

  
Workaround:
  
1) Disable Smartcard
# sctool -d

2) Replace the smartcard-auth-ac file with an out-of-the-box file from a similar machine.

3) Enable Smartcard 
# sctool -e

4) Make sure changes were made to /etc/pam.d/smartcard-auth

  
Resolution:
  
Resolved in a future release of Centrify Server Suite

Related Articles

 articleKB-4773: sctool -s command we get "Cannot determine Centrify Smart Card status" articleKB-6041: How to show current license type in use by adclient articleKB-6040: How to change the license type in use after adclient successful joined to the AD? articleKB-6073: How to join the Linux/Unix Centrify Server to Active Directory with specific Computer Role? articleKB-6056: How to report the group policy settings that are in effect for the local computer? articleKB-6038: How to specify the license type to use when joining the server to AD using adjoin? articleKB-7555: Unable to login as root after upgrade to Centrify Suite 2016 (CDC 5.3.0) articleKB-4139: How to support a 3rd party PKCS#11 module other than the Coolkey module shipped for RedHat articleKB-3415: How to enable Smart Card logon support on RedHat environments