No, our AD domain has the PIV mappings. I installed the smartcard services, enabled smartcard authentication, and the smartcard services picked up the mapping already built into our AD domain just like a Windows user would experience. I don’t manage the domain
or Windows things so I’m not versed in all of the inner workings required to make all that happen. I just know I executed the steps I outlined and things immediately started working without any reboot or additional effort on my part.
I knew it was working because I plugged in a USB smartcard reader, inserted my PIV card, and locked my screen. With the smartcard inserted I could only unlock my screen with the PIV pin number. With the smartcard removed from the reader I could use my
password. I then logged out, pressed the accept button on my login policy banner, waited for the user ID / password screen to appear, inserted my PIV card into the reader, waited for a few seconds, and OS X automatically detected who I was and asked for my
PIV pin number. All this started working immediately after installing the latest smartcard services. No reboot required.
As I said earlier, my Mac is running Mavericks and is joined natively to AD (no third party software). My login ID is an AD user ID, not a local account.
It just works. :)
Walter
--
Walter Rowe, Hosting Services
Enterprise Systems / OISM
Email: email@hidden
Work: 301-975-2885
On Jan 14, 2014, at 12:26 PM, Jim Thomas < email@hidden> wrote:
Walter,
To clarify, you are manually mapping the PIV cert on your card to a Mobile Account, is that correct?
Regards,
Jim Thomas
On 1/14/14 7:42 AM, Rowe, Walter wrote:
Shawn Geddis posted this on the SmartcardServices Users list last night. The packages have been updated for 10.6 to 10.9, and a new command line now lets you enable or disable easily without manually editing /etc/authorization.
$ security authorizationdb smartcard status
Current smartcard login state: enabled (system.login.console enabled, authentication rule enabled)
YES (0)
$ security authorizationdb smartcard enable
YES (0)
$ security authorizationdb smartcard disable
YES (0)
If you execute the enable or disable as an admin user, the commands above will pop-up an authentication panel asking for admin credentials. I’ve tested these on Mavericks with PIV login. Works great. My Mac is joined to an AD domain and I log in with an
AD user ID. This new version was able to map my PIV card to my AD ID automatically after enabling smartcard authentication via the above command line.
Kudos to Shawn!
Walter
--
Walter Rowe, Hosting Services
Enterprise Systems / OISM
Email: email@hidden
Work: 301-975-2885
Begin forwarded message:
Subject: [SmartcardServices-Users] SmartCardServices Installers for OS X v10.6-v10.9 Posted!
Date: January 13, 2014 at 10:06:20 PM EST
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
|