Applies to:
All versions of Centrify DirectControl
Problem:
To enable the Smartcard, the following command is run and returns without any error
# sctool -e
When sctool -s is executed to determine the status of Smartcard, the message is returned:
Cannot determine Centrify Smart Card status. Make sure that Centrify is installed correctly and this computer is joined a domain correctly, or contact a system administrator
Cause:
The sctool -e command did not make the neccessary changes in /etc/pam.d/smartcard-auth file.
Before sctool -e the /etc/pamd.d/smartcard-auth files look similar to:
After sctool -e, the changes made are seen in the image below:
Although the links and files are created correctly, the content of smartcard-auth does not have the changes required to enable Smartcard. A correct smartcard-auth file will have entries such as see here:
If these entries are missing the sctool -s will fail.
The debug logfile has these entries:
Apr 07 17:29:40 rhel732 sctool[123025]: DEBUG redhat.sctool Reset PKCS #11 module to our own Coolkey module.
Apr 07 17:29:40 rhel732 sctool[123025]: DEBUG redhat.sctool In doStatus()
Apr 07 17:29:40 rhel732 sctool[123025]: DEBUG redhat.sctool doStatus() on [/etc/pam.d/smartcard-auth]: 3
Apr 07 17:29:40 rhel732 sctool[123025]: DEBUG redhat.sctool doStatus() : Returning 3
When the value of 3 is returned from doStatus(), this identifies the file that causes the sctool to throw the message.
Workaround:
1) Disable Smartcard
# sctool -d
2) Replace the smartcard-auth-ac file with an out-of-the-box file from a similar machine.
3) Enable Smartcard
# sctool -e
4) Make sure changes were made to /etc/pam.d/smartcard-auth
Resolution:
Resolved in a future release of Centrify Server Suite