14.2. Authentication
14.2.1. Using Enterprise Credentials to Log into GNOME
If your network has an Active Directory or Identity Management domain available, and you have a domain account, you can use your domain credentials to log into GNOME.
If the machine has been successfully configured for domain accounts, users can log into GNOME using their accounts. At the login prompt, type the domain user name followed by an
@
sign, and then your domain name. For example, if your domain name is example.com and the user name is User, type:
User@example.com
In cases where the machine is already configured for domain accounts, you should see a helpful hint describing the login format.
14.2.1.1. Choosing to Use Enterprise Credentials During Welcome Screens
If you have not yet configured the machine for enterprise credentials, you can do so at the Welcome screens that are part of the GNOME Initial Setup program.
Procedure 14.1. Configuring Enterprise Credentials
- At the Login welcome screen, choose .
- Type the name of your domain in the Domain field if it is not already prefilled.
- Type your domain account user and password in the relevant fields.
- Click.
Depending on how the domain is configured, a prompt may show up asking for the domain administrator's name and password in order to proceed.
14.2.1.2. Changing to Use Enterprise Credentials to Log into GNOME
If you have already completed initial setup, and wish to start a domain account to log into GNOME, then you can accomplish this from the Users panel in the GNOME Settings.
Procedure 14.2. Configuring Enterprise Credentials
- Click your name on the top bar and select Settings from the menu.
- From the list of items, select Users.
- Click the Unlock button and type the computer administrator's password.
- Click thebutton in the lower left of the window.
- Select the Enterprise Login pane.
- Enter the domain, user, and password for your Enterprise account, and click Add.
Depending on how your domain is configured, a prompt may show up asking for the domain administrator's name and password in order to proceed.
14.2.1.3. Troubleshooting and Advanced Setup
The
realm
command and its various subcommands can be used to troubleshoot the enterprise login feature. For example, to see whether the machine has been configured for enterprise logins, run the following command:
$
realm list
Network administrators are encouraged to pre-join workstations to a relevant domain. This can be done using the kickstart
realm join
command, or running realm join
in an automated fashion from a script.
Getting More Information
Red Hat Enterprise Linux 7 Windows Integration Guide – The Windows Integration Guide for Red Hat Enterprise Linux 7 provides more detailed information about using
realmd
to connect to an Active Directory domain.
14.2.2. Enabling Smart Card Authentication
Enabling smart card authentication requires two consecutive steps:
- Configuration of GDM to allow prompting for smart cards
- Configuration of the operating system to allow using smart cards to login
1.Configuration of GDM to allow prompting for smart cards
You can use two ways to configure the GDM to allow prompting for smart card authentication:
dconf editor GUI
Procedure 14.3. Enabling smart card authentication using dconf editor GUI
- Uncheck the box for the org.gnome.login-screen enable-password-authentication dcof key.
- Check the box for the org.gnome.login-screen enable-smartcard-authentication dcof key.
dconf-tool
Procedure 14.4. Enabling smart card authentication using dconf-tool
- Create a keyfile in the
/etc/dconf/db/gdm.d
directory. - Add the following content to this keyfile:
[org/gnome/login-screen] enable-password-authentication='false' enable-smartcard-authentication='true'
- Update the system dconf databases:
#
dconf update
2.Configuration of the operating system to allow using smart cards to login
After GDM has been configured for smart card authentication, use the
system-config-authentication
tool to configure the system to allow users to use smart cards, making their use available to GDM as a valid authentication method for the graphical environment. The tool is provided by the authconfig-gtk package.
To learn more about configuring the system to allow smart card authentication, and to learn more about the
system-config-authentication
tool, see the Red Hat Enterprise Linux 7 System-Level Authentication Guide.
14.2.3. Enabling Fingerprint Authentication
To allow users to log in using their enrolled fingerprints, use the
system-config-authentication
tool to enable fingerprint authentication. The tool is provided by the authconfig-gtk package.
To learn more about fingerprint authentication and the
system-config-authentication
tool, see the Red Hat Enterprise Linux 7 System-Level Authentication Guide.