Gdm and smartcard authentication on 9.0

I run a freeipa domain locally. I’ve used the ipa-advise uttility to generate a script that sets up a system to allow smartcard authentication through gdm or at the console. This had not worked a few months ago but tried it again today and seems go to go now at least on an RL8.6 system.

Just tried the same script on a RL9.0 system and it would not let me login using smartcard auth. Anyone know what might have changed to cause this?

ADDED: I’ve tried that script on a handful of other 8.6 systems and they won’t let me authenticate through GDM with a smartcard/pin. So I’ve got one 8.6 system that is working but the others won’t. The config on them all should be identical.

I should mention that smartcard authentication does work for resources accessed over the web and in thunderbird. The basic access to the smartcard is okay. This problem only seems to be with authentication at the console or via GDM so far.

When you log in using GDM, you will see a lot of log entries, including smart cards and fingerprint readers.

Yes I do, but none of what I do see indicates a problem or misconfiguration.

Did some more testing on a newly installed 8.6 system. My account can login using smartcard on the console and through GDM. Another admin can login on the console but not through GDM. The only indication we’re seeing of any failure is a cryptic entry in /var/log/messages:

Nov  7 09:30:18 lafayette krb5_child[17585]: Can't verify certificate

Googled for krb5_child and “can’t verify certificate” comes up with nothing. A little more searching indicated that krb5-pkinit was a problem. Removed that from an 8.6 system and smartcard auth starts working as expected. Tried it on a 9.0 system and dnf wanted to remove some ipa, sssd and python packages. Removed just the krb5-pkinit package with rpm and smartcard auth starts working as expected.

I suspect that at some time in the future an update is gonna reinstall the krb5-pkinit package and break smartcard authentication. Can anyone shed some light on what it is in that package that is causing this problem? Perhaps there’s a config that can be set somewhere so the package can be installed but not block smartcard authentication.