I recently met this problem, and I finally managed to get it "repaired". Here's the problem and the solution
I met the problem after I installed "smart card services". I reviewed the installation process, and found an option entitled "cacloginconfig" . Here is the description:
This 'default' Property List file (CACLoginConfig.plist) is used by both the "Attribute Matching" and "PKINIT (SSO)" scenarios for Smart Card Services setup.
This file is necessary if you are binding your Smart Card to either: (A) a Local OS X Account (Attribute Matching) (B) Active Directory with Smart Card Login for SSO (PKINIT)
The existence of this file will switch OS X from using the built-in default "PubKeyHash" method to mapping Attribute(s) instead. If this file is deleted or missing on the OS X system, it will revert back to the "PubKeyHash" method for binding a Smart Card to a particular account. the command "sc_auth" is provided on OS X for managing the PubKeyHash usage for accounts.
The contents of this file will configure the desired mapping of supported certificate attribute(s) to a single DS attribute lookup (i.e. Mapping the "NT Principal Name" from the Certificate to the single AD attribute "userPrincipalName"). This is a default property list file that should be modified if required by your DS setup.
The attribute(s) are drawn from your Smart Card based certificate containing "Smartcard Logon ( 1.3.6.1.4.1.311.20.2.2 )" for "Extended Key Usage ( 2.5.29.37 )".
I looked into this bundle, and learned that a plist file named "cacloginconfig.plist" was installed to /etc due to this option. Finally, I executed
sudomv/etc/cacloginconfig.plist/etc/cacloginconfig.plist.bak
and everything went back as normal.
Hope the solution can help you.