Understanding sctool
Centrify provides a group policy, Enable smart card support, to enable smart card support on Mac computers. This group policy uses the sctool
utility to add smart card specific strings to the authorization database and to create the /etc/cacloginconfig.plist
file. In general, you can use the group policy to enable smart card support. However, the sctool
utility is also available to specifically configure or diagnose smart card support on any Mac computer.
When you disable smart card support, with the group policy or with sctool
, the smart card strings are removed from the authorization database and /etc/cacloginconfig.plist
is deleted.
See Configuring a Mac computer for smart card login for detailed information about using group policies to enable smart card login and screen locking.
Note: When you enable or disable smart card support with sctool
, the change is temporary, unless the group policy, Enable smart card support, is not configured. For example, if the policy is set to enable smart card support, and you disable it with sctool
, at the next reboot the policy takes effect and smart card support is re-enabled. If the policy is not configured, you can control smart card support on individual computers using sctool
.
Synopsis
sctool -e --enable
-d --disable
-s --status
-u --update-upn-map [mapping]
-D --dump
-S --support
-c --clearcrls
-r --revokecheck
Extra options for -r:
-t --type [ocsp|crl]:[none|best|cert|all]
-p --priority [ocsp|crl|both]
-l --localocsp [ocsp server url]
-k --pkinit userPrincipalName
-a --altpkinit unixname
-E --no-eku
-K --check-kdc-eku
-L --lock-status
-o --sudo enable | disable
Setting valid options
You can use the following options with this command:
Note: You may specify only one option at a time when running sctool
.
Use this option | To do this |
-e, --enable |
Enable smart card support by making necessary edits to the authorization database, and by creating the / |
-d, --disable |
Disable smart card support by removing smart-card specific strings from the authorization database, and by deleting |
-s, --status |
Show whether smart card support is enabled or disabled. This option outputs one of these two messages:
|
-u --update-upn-map [mapping] |
This option specifies a field of the smart card certificate to be used as the UPN search value.
|
-D, --dump |
Display information about the system setup and about any smart cards that are attached to the computer. For each card, this option lists the type of card and any summary information. It also enumerates all identities on the card and lists the following for each:
|
-S, --support |
Lists the same information as the |
-c --clearcrls |
Removes all CRLs from the keychain. |
-r --revokecheck [-t] [-p] [-l] |
Extra options:
|
|
Change certificate validation setting for method |
|
Online Certificate Status Protocol. |
|
Certificate Revocation List. |
|
No revocation checking is performed. |
|
The certificate passes unless the server returns an indica tion of a bad certificate. This setting is best for most circumstances. |
|
If the URL to the revocation server is provided in the cer tificate, this setting requires a successful connection to a revocation server and no indication of a bad certificate. Use only in a tightly controlled environment that guaran tees the presence of a CRL server or OCSP responder. If a CRL server or OCSP responder is not available, SSL and S/MIME evaluations could fail to respond. |
|
This setting requires successful validation of all certifi cates. Use only in a tightly controlled environment that guarantees the presence of a CRL server or OCSP responder. If a CRL server or OCSP responder is not available, SSL and S/MIME evaluations could fail to respond. |
|
This setting determines which method |
|
This setting overrides the OCSP server URL of certificate with |
-E, --no-eku |
Allow |
-K --check-kdc-eku |
Enables checking of the KDC certificate for the Extended Key Usage (EKU) extension "Kerberos Authentication". Do not use this option if you have not updated your KDC to include the required EKU. Enable EKU checking after updating your KDC certificate. EKU checking is disabled by default. This parameter must be used with the -k (--pkinit) parameter or the -a ( |
-k, --pkinit userPrincipalName |
Obtain Kerberos credentials from the smart card currently in the reader and store them in the user's cache. This option obtains a ticket granting ticket (TGT) using the public/private key pair stored on the smart card, which is intended to be used in the same manner as the To obtain kerberos credentials,
|
|
While If no suitable certificate is found, If the computer is connected to the domain, If the user’s password has expired,
To resolve this issue, edit the user’s ADUC Properties page by clicking the Account tab and checking one or both of the following options: |
-a --altpkinit unixName |
Obtain Kerberos credentials from a multi-user smart card currently in the reader and store them in the user's cache. Because the card is configured for multiple accounts, the user is prompted to enter the user name, which the command uses to retrieve the Kerberos credentials. |
-L --lock-status |
Show the smart card lock status for all connected smart cards. Possible values are:
|
-o --sudo enable | disable |
Examples
Display information about the smart cards attached to the computer:
#sudo sctool -D
Password:
Enable smart card support:
#sudo sctool -e
Password: