[SmartcardServices-Users] of keychains and CAC
Daly, John CIV NAVAIR, 4L6200D
john.l.daly at navy.mil
Mon Dec 9 09:33:42 PST 2013
Greetings,
my quest to enable CAC for all my users continues. Until I can get PKI-INIT to work with Open Directory, I'm simply adding the user's pubkeyhash to their account, following Yoann Gini's directions.
I've noticed that the CAC doesn't unlock the user's login keychain when logging in.
Previous posts from Shawn Geddis indicate that the command
systemkeychain -T /path/to/keychain will tie the keychain to the CAC.
In practice, this doesn't seem to be working.
If I use the existing login.keychain, I get the error message:
/test2/Library/Keychains/login.keychain: CSSMERR_DL_DATASTORE_ALREADY_EXISTS
when I run the command.
If I generate a new keychain, I can run the command and it will work, but instead of unlocking the keychain at login, or asking me to unlock it with my CAC PIN, it simply locks up all web-based access until the offending keychain is deleted.
Has anyone gotten this to work? I can't find any documentation to read, or previous successes to emulate.
Thank you,
John
More information about the SmartcardServices-Users
mailing list