Bug 1259515

Summary: Prompting for kerberos user password after screen lock : logged in using smartcard pin with kerberos user
Product: Red Hat Enterprise Linux 7 Reporter: Roshni <rpattath>
Component: coolkeyAssignee: Bob Relyea <rrelyea>
Status: CLOSED DUPLICATE QA Contact: Asha Akkiangady <aakkiang>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.2CC: kbanerje, ovasik, rpattath, rstrode, sbose
Target Milestone: rcKeywords: Regression, TestBlocker
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-09-10 18:04:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Roshni 2015-09-02 20:45:33 UTC 
Description of problem:
Prompting for kerberos user password after screen lock : logged in using smartcard pin with kerberos user

Version-Release number of selected component (if applicable):
pam_krb5-2.4.8-4.el7.x86_64
pam_pkcs11-0.6.2-23.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. Login using smartcard pin with kerberos user
2. Lock the screen

Actual results:
Screen unlock prompts for kerberos user password

Expected results:
Screen unlock should prompt for smartcard pin

Additional info:
Comment 3 Sumit Bose 2015-09-03 07:34:20 UTC 
Can you attach your PAM configuration?
Comment 5 Roshni 2015-09-03 19:52:27 UTC 
Seeing the same issue when logging in using a smartcard that has been enrolled with a local user (non-kerberos). So changing the component to pam_pkcs11.
Comment 6 Bob Relyea 2015-09-09 00:48:18 UTC 
OK, here's what I'm seeing:

If I turn on smartcard login and turn on lock when card is removed (using /sbin/system-config-authentication from authconfig-gtk):
  - I can log in using the smart card.
  - If I remove the smart card the display lock and the display goes blank.
  - If I insert the smart card again, it's read, but it does not trigger the screen saver.
  - Moving the mouse or hitting enter does bring up the smart card prompt, however.

Is this what you were seeing?

rpm -q pam_pkcs11
pam_pkcs11-0.6.2-23.el7.x86_64

rpm -q coolkey
coolkey-1.1.0-28.2.el7_bob.x86_64

Note: if that's the case, pam_pkcs11 isn't involved. the screen-saver and coolkey are the ones that decide how to bring up the lock. pam_pkcs11 is involved after the fact (when the screen saver decides to authenticate, it then calls pam_pkcs11.

bob
Comment 7 Bob Relyea 2015-09-09 21:33:54 UTC 
roshni, is this what you are seeing as well, or your you seeing something different?
Comment 8 Roshni 2015-09-10 13:56:58 UTC 
Bob,

For this bug this is not what I am seeing. I have turned on smartcard login, ignore when smartcard is removed, turned on create home directory on login.

-I manually lock the screen
-Move the mouse
-Unlock screen prompts for password of the user on the smartcard and not the smartcard pin
Comment 9 Bob Relyea 2015-09-10 16:36:42 UTC 
Roshni, did you log in using the smart card?
Comment 10 Roshni 2015-09-10 16:40:45 UTC 
Yes Bob. I noticed that you are using a different coolkey build could try with the build in https://errata.devel.redhat.com/advisory/21064/builds, because with this build I also see that lock screen on smartcard removal is also not working. I am changing the bug component to coolkey.
Comment 11 Ray Strode [halfline] 2015-09-10 18:04:27 UTC 

*** This bug has been marked as a duplicate of bug 1260081 ***
Comment 12 Bob Relyea 2015-09-10 22:30:30 UTC 
OK, it looks like Ray answered the question I was going to ask before I asked it. This is an existing bug in RHEL 7, not related to pam_pkcs11 or coolkey (neither even gets called in the failing case).