Applies to: Centrify Direct Control version 5.1 and greater on Red Hat Linux (32- or 64-bit) version 5.6 or later running the GNOME desktop.Question:
When attempting to use a smartcard to login to a Centrified Linux system the following error is received:
This certificate (or its chain) is not valid
The user is able to successfully log-in using a smartcard on Windows. How can we address this for Linux?
Answer:This error message indicates there are missing certificates on the Linux machine for the smartcard in use.
It is best practice, if new smart card certs are going to be added or renewed in AD, to complete the following:
If there are still missing certs or are still receive the same error message the adgpupdate may be timing out before it can finish. One may adjust the group policy timeout for rhel_certgp.pl to suite their environment.
- Remove the /etc/pam_pkcs11/cacerts directory
- Run 'adgpupdate' to get all the new certs links updated in the /etc/pam_pkcs11/cacerts directory.
time /usr/share/centrifydc/mappers/machine/rhel_certgp.pl map force
- Edit the following value in /etc/centrifydc/centrifydc.conf: gp.mappers.timeout to be that of a larger number then the results of the time command. Default timeout value is 30 seconds.
There is a corresponding Centrify Group Policy, it is a Computer GP called “Set group policy mapper execution timeout” located under: Centrify Settings / DirectControl Settings / Group Policy Settings.For reference: