Bug 1260081
Summary: | smartcard removal/insertion not detected (7.2 beta) | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | adam winberg <adam.winberg> |
Component: | gnome-settings-daemon | Assignee: | Rui Matos <rmatos> |
Status: | CLOSED ERRATA | QA Contact: | Desktop QE <desktop-qa-list> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 7.2 | CC: | aakkiang, kbanerje, mclasen, mdomonko, rpattath, tlavigne, tpelka, tscherf |
Target Milestone: | rc | Keywords: | Regression, TestBlocker |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | gnome-settings-daemon-3.14.4-9.el7 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-11-19 08:28:43 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
adam winberg
2015-09-04 11:52:41 UTC
Running command $ OPENSC_DEBUG=3 /usr/libexec/gnome-settings-daemon -r --debug 2>&1 on a RHEL 7.1 machine yields a lot more output than on 7.2. On 7.1, the output line "(gnome-settings-daemon:22222): smartcard-plugin-DEBUG: attempting to load NSS database '/etc/pki/nssdb'" is followed by a lots and lots of opensc-pkcs11 debug output, indicating that the connection between gsd -> nss -> opensc -> card is actually working. on 7.2, there is no opensc debug output at all. also: pcscd in debug mode shows that smartcard insertion and removal is detected by pcscd: Card inserted into Alcor Micro AU9540 ... Card removed from Alcor Micro AU9549 ... to clarify, on 7.1 gsd debug output shows: (gnome-settings-daemon:26374): smartcard-plugin-DEBUG: Getting list of suitable drivers (gnome-settings-daemon:26374): smartcard-plugin-DEBUG: Activating driver 'OpenSC PKCS #11 Module' (gnome-settings-daemon:26374): smartcard-plugin-DEBUG: watching for smartcard events ... on 7.2, gsd output stops after: (gnome-settings-daemon:26374): smartcard-plugin-DEBUG: Getting list of suitable drivers some more debugging... in gsd-smartcard-manager.c gsd tries to get a list of all pkcs11 modules from nssdb, via driver_list = SECMOD_GetDefaultModuleList(); in function 'activate_all_drivers_async'. However, this only returns one module for me, the "NSS Internal PKCS #11 Module". Even though I have the opensc module added in nssdb, this is never returned from SECMOD_GetDefaultModuleList(). content of my nssdb: $ modutil -list -dbdir /etc/pki/nssdb/ Listing of PKCS #11 Modules ----------------------------------------------------------- 1. NSS Internal PKCS #11 Module slots: 2 slots attached status: loaded slot: NSS Internal Cryptographic Services token: NSS Generic Crypto Services slot: NSS User Private Key and Certificate Services token: NSS Certificate DB 2. p11-kit-trust library name: /usr/lib64/pkcs11/p11-kit-trust.so slots: 2 slots attached status: loaded slot: /etc/pki/ca-trust/source token: System Trust slot: /usr/share/pki/ca-trust-source token: Default Trust 3. OpenSC PKCS #11 Module library name: /usr/lib64/pkcs11/opensc-pkcs11.so slots: 2 slots attached status: loaded slot: Virtual hotplug slot token: slot: Alcor Micro AU9540 00 00 token: Instant EID IP9 (identification) Not sure if I am doing something really stupid or if it's a bug in nss rather than gsd. I appreciate any pointers and will gladly provide more info if needed. *** Bug 1251545 has been marked as a duplicate of this bug. *** hm, just realized we use the nssdb sql format, so the above modutil command show contents of this. Don't know how gsd deals with this, but it works in 7.1. We have the env. variable NSS_DEFAULT_DB_TYPE set to 'sql', which should be enough to get the correct nssdb from gsd, no? I'm not authorized to view the bug which this one has been marked a duplicate of. Could someone enlighten me what that bug is about, or maybe make it public? Hi Adam, it was the other way around. we took an internal bug reported by QE and duplicated it to your bug since your bug is public. The internal bug doesn't add any details you haven't already contributed. *** Bug 1259515 has been marked as a duplicate of this bug. *** so what's going on here is the sharing plugin in gnome-settings-daemon is using nm client api to initialize nss with insufficient flags. then the smartcard plugin gets loaded later and its init function becomes a noop. We can workaround this in the smartcard plugin by changing the init function it uses. ah, great! Quick workaround for me right now is to disable the sharing plugin in gnome-settings-daemon. Using gnome-settings-daemon-3.14.4-8.el7 I still the issue in the bug description. This is what I am trying 1. Configure using authconfig to lock screen on smart card removal 2. Log into gnome with smartcard. 3. Remove smartcard and the screen is not locked Thanks for the quick turnaround. I've reproduced the failure and see the problem. I didn't notice during my own testing because I neglected to undo the workaround Adam alluded to in comment 14. Will build fix shortly. I just tried the new gnome-settings-daemon-3.14.4-9.el7 and it really fixes the issue. The screen now locks when the card is removed and the PIN prompt is displayed when putting it back. Cool! Ray, I see that the issue reported in this bug is working fine. But I see the following issue: - Enable smartcard login - Disable "Require smartcard for Login" - Login using smartcard with kerberos user - Lock the screen - When the smartcard is not inserted, the kerberos password is prompted (no message to insert smartcard) and unlocks the screen when the password is provided. Expected behavior is A message is displayed to the user asking them to insert the smart card they used to login previously (Kerberos password should not be prompted) I am marking the bug assigned, let me know if this issue is not related to this component. yup, please file that separately against gnome-shell Thanks, I have opened a new bug https://bugzilla.redhat.com/show_bug.cgi?id=1263759 *** Bug 1272919 has been marked as a duplicate of this bug. *** Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-2157.html |