Greetings, my quest to enable CAC for all my users continues. Until I can get PKI-INIT to work with Open Directory, I'm simply adding the user's pubkeyhash to their account, following Yoann Gini's directions. I've noticed that the CAC doesn't unlock the user's login keychain when logging in. Previous posts from Shawn Geddis indicate that the command systemkeychain -T /path/to/keychain will tie the keychain to the CAC. In practice, this doesn't seem to be working. If I use the existing login.keychain, I get the error message: /test2/Library/Keychains/login.keychain: CSSMERR_DL_DATASTORE_ALREADY_EXISTS when I run the command. If I generate a new keychain, I can run the command and it will work, but instead of unlocking the keychain at login, or asking me to unlock it with my CAC PIN, it simply locks up all web-based access until the offending keychain is deleted. Has anyone gotten this to work? I can't find any documentation to read, or previous successes to emulate. Thank you, John
Le 9 déc. 2013 à 18:33, Daly, John CIV NAVAIR, 4L6200D <john.l.daly@navy.mil> a écrit :
my quest to enable CAC for all my users continues. Until I can get PKI-INIT to work with Open Directory, I'm simply adding the user's pubkeyhash to their account, following Yoann Gini's directions. I've noticed that the CAC doesn't unlock the user's login keychain when logging in.
When using pubkeyhash, I’ve just set my login keychain to use my PIN code as password, without any command line, just using the password modification tool in Keychain Access. PS: I’m also working on PKINIT with AD at this time, impossible to make it work without Centrify / Thursby.
participants (2)
-
Daly, John CIV NAVAIR, 4L6200D
-
Yoann Gini