14.2. Authentication

14.2.1. Using Enterprise Credentials to Log into GNOME

If your network has an Active Directory or Identity Management domain available, and you have a domain account, you can use your domain credentials to log into GNOME.
If the machine has been successfully configured for domain accounts, users can log into GNOME using their accounts. At the login prompt, type the domain user name followed by an @ sign, and then your domain name. For example, if your domain name is example.com and the user name is User, type:
User@example.com
In cases where the machine is already configured for domain accounts, you should see a helpful hint describing the login format.

14.2.1.1. Choosing to Use Enterprise Credentials During Welcome Screens

If you have not yet configured the machine for enterprise credentials, you can do so at the Welcome screens that are part of the GNOME Initial Setup program.

Procedure 14.1. Configuring Enterprise Credentials

  1. At the Login welcome screen, choose Use Enterprise Login.
  2. Type the name of your domain in the Domain field if it is not already prefilled.
  3. Type your domain account user and password in the relevant fields.
  4. Click Next.
Depending on how the domain is configured, a prompt may show up asking for the domain administrator's name and password in order to proceed.

14.2.1.2. Changing to Use Enterprise Credentials to Log into GNOME

If you have already completed initial setup, and wish to start a domain account to log into GNOME, then you can accomplish this from the Users panel in the GNOME Settings.

Procedure 14.2. Configuring Enterprise Credentials

  1. Click your name on the top bar and select Settings from the menu.
  2. From the list of items, select Users.
  3. Click the Unlock button and type the computer administrator's password.
  4. Click the + button in the lower left of the window.
  5. Select the Enterprise Login pane.
  6. Enter the domain, user, and password for your Enterprise account, and click Add.
Depending on how your domain is configured, a prompt may show up asking for the domain administrator's name and password in order to proceed.

14.2.1.3. Troubleshooting and Advanced Setup

The realm command and its various subcommands can be used to troubleshoot the enterprise login feature. For example, to see whether the machine has been configured for enterprise logins, run the following command:
$ realm list
Network administrators are encouraged to pre-join workstations to a relevant domain. This can be done using the kickstart realm join command, or running realm join in an automated fashion from a script.
Getting More Information
Red Hat Enterprise Linux 7 Windows Integration Guide – The Windows Integration Guide for Red Hat Enterprise Linux 7 provides more detailed information about using realmd to connect to an Active Directory domain.

14.2.2. Enabling Smart Card Authentication

Enabling smart card authentication requires two consecutive steps:
  1. Configuration of GDM to allow prompting for smart cards
  2. Configuration of the operating system to allow using smart cards to login

1.Configuration of GDM to allow prompting for smart cards

You can use two ways to configure the GDM to allow prompting for smart card authentication:
dconf editor GUI

Procedure 14.3. Enabling smart card authentication using dconf editor GUI

  1. Uncheck the box for the org.gnome.login-screen enable-password-authentication dcof key.
  2. Check the box for the org.gnome.login-screen enable-smartcard-authentication dcof key.
dconf-tool

Procedure 14.4. Enabling smart card authentication using dconf-tool

  1. Create a keyfile in the /etc/dconf/db/gdm.d directory.
  2. Add the following content to this keyfile:
    [org/gnome/login-screen]
    enable-password-authentication='false'
    enable-smartcard-authentication='true'
    
  3. Update the system dconf databases:
    # dconf update

2.Configuration of the operating system to allow using smart cards to login

After GDM has been configured for smart card authentication, use the system-config-authentication tool to configure the system to allow users to use smart cards, making their use available to GDM as a valid authentication method for the graphical environment. The tool is provided by the authconfig-gtk package.
To learn more about configuring the system to allow smart card authentication, and to learn more about the system-config-authentication tool, see the Red Hat Enterprise Linux 7 System-Level Authentication Guide.

14.2.3. Enabling Fingerprint Authentication

To allow users to log in using their enrolled fingerprints, use the system-config-authentication tool to enable fingerprint authentication. The tool is provided by the authconfig-gtk package.
To learn more about fingerprint authentication and the system-config-authentication tool, see the Red Hat Enterprise Linux 7 System-Level Authentication Guide.