Chapter 14. Authenticating the user in the desktop environment

You can perform the following operations:

  • Configure enterprise login options in GNOME,
  • Enable smart card authentication, and
  • Enable fingerprint authentication.

14.1. Using enterprise credentials to authenticate in GNOME

You can use your enterprise domain credentials to access your system. This section explains how to log in using enterprise credentials in GNOME, configure enterprise credentials at the GNOME welcome screen, and add an authenticated user with enterprise credentials in GNOME.

14.1.1. Logging in with Enterprise Credentials in GNOME

You can use your domain credentials to login to GNOME if your network has an Active Directory or Identity Management domain available, and you have a domain account.

Prerequisites

Procedure

  • While logging in, enter the domain user name followed by an @ sign, and then your domain name.

    For example, if your domain name is example.com and the user name is User, enter:

    User@example.com
    Note

    If the machine is already configured for domain accounts, you should see a helpful hint describing the login format.

14.1.2. Configuring enterprise credentials at the GNOME welcome screen

Perform the following steps to configure workstation for enterprise credentials using the welcome screen that belongs to the GNOME Initial Setup program.

The initial setup runs only when you create a new user and log into that account for the first time.

Procedure

  1. At the login welcome screen, choose Use Enterprise Login.
  2. Enter your domain name into the Domain field.
  3. Enter your domain account user name and password.
  4. Click Next.
  5. Depending on the domain configuration, a pop up prompts for the domain administrator’s credentials.

14.1.3. Adding an authenticated user with enterprise credentials in GNOME

This procedure helps to create a new user through the GNOME Settings application. The user is authenticated using enterprise credentials.

Prerequisites

Procedure

  1. Open the Settings window clicking icons in the top right corner of the screen.
  2. From the list of items, select Details > Users.
  3. Click Unlock and enter the administrator’s password.
  4. Click Add user…​
  5. Click Enterprise Login.
  6. Fill out the Domain, Username, and Password fields for your enterprise account.
  7. Click Add.
  8. Depending on the domain configuration, a pop up prompts for the domain administrator’s credentials.

14.1.4. Troubleshooting enterprise login in GNOME

You can use the realm utility and its various sub-commands to troubleshoot the enterprise login configuration.

Procedure

  • To see whether the machine is configured for enterprise logins, run the following command:

    $ realm list
Note

Network administrators can configure and pre-join workstations to the relevant domains using the kickstart realm join command, or running realm join in an automated fashion from a script.

Additional resources

  • The realm man page.

14.2. Enabling smart card authentication

You can enable workstations to authenticate using smart cards. In order to do so, you must configure GDM to allow prompting for smart cards and configure operating system to log in using a smart card.

You can use two ways to configure the GDM to allow prompting for smart card authentication with GUI or using the command line.

14.2.1. Configuring smart card authentication in GDM using the GUI

You can enable smart card authentication using dconf editor GUI. The dconf Editor application helps to update the configuration-related values on a dconf database.

Prerequisites

  • Install the dconf-editor package:

    # yum install dconf-editor

Procedure

  1. Open the dconf-Editor application and navigate to /org/gnome/login-screen.
  2. Turn on the enable-password-authentication option.
  3. Turn on the enable-smartcard-authentication option.

Additional resources

  • The dconf-editor man page.
  • The dconf man page.

14.2.2. Configuring smart card authentication in GDM using the command line

You can use the dconf command-line utility to enable the GDM login screen to recognize smart card authentication.

Procedure

  1. Create a keyfile for the GDM database in /etc/dconf/db/gdm.d/login-screen, which contains the following content:

    [org/gnome/login-screen]
    enable-password-authentication='false'
    enable-smartcard-authentication='true'
  2. Update the system dconf databases:

    # dconf update

Additional resources

  • The dconf man page.

14.2.3. Enabling the smart card authentication method in the system

For smart card authentication you can use the system-config-authentication tool to configure the system to allow you to use smart cards. Thus, you can avail GDM as a valid authentication method for the graphical environment. The tool is provided by the authconfig-gtk package.

Prerequisites

  • Install authconfig-gtk package
  • Configure GDM for smart card authentication

Additional resources

14.3. Fingerprint authentication

You can use the system-config-authentication tool to enable fingerprint authentication to allow users to login using their enrolled fingerprints. The tool is provided by the authconfig-gtk package.

Additional resources