Bug 1260081

Running command

$ OPENSC_DEBUG=3 /usr/libexec/gnome-settings-daemon -r --debug 2>&1 

on a RHEL 7.1 machine yields a lot more output than on 7.2. On 7.1, the output line
"(gnome-settings-daemon:22222): smartcard-plugin-DEBUG: attempting to load NSS database '/etc/pki/nssdb'"

is followed by a lots and lots of opensc-pkcs11 debug output, indicating that the connection between gsd -> nss -> opensc -> card is actually working. 

on 7.2, there is no opensc debug output at all.

also:

pcscd in debug mode shows that smartcard insertion and removal is detected by pcscd:

Card inserted into Alcor Micro AU9540 ...
Card removed from Alcor Micro AU9549 ...

to clarify, on 7.1 gsd debug output shows:

(gnome-settings-daemon:26374): smartcard-plugin-DEBUG: Getting list of suitable drivers
(gnome-settings-daemon:26374): smartcard-plugin-DEBUG: Activating driver 'OpenSC PKCS #11 Module'
(gnome-settings-daemon:26374): smartcard-plugin-DEBUG: watching for smartcard events
...



on 7.2, gsd output stops after:

(gnome-settings-daemon:26374): smartcard-plugin-DEBUG: Getting list of suitable drivers

some more debugging...

in gsd-smartcard-manager.c gsd tries to get a list of all pkcs11 modules from nssdb, via
driver_list = SECMOD_GetDefaultModuleList();

in function 'activate_all_drivers_async'. However, this only returns one module for me, the "NSS Internal PKCS #11 Module". Even though I have the opensc module added in nssdb, this is never returned from SECMOD_GetDefaultModuleList(). 


content of my nssdb:
$ modutil -list -dbdir /etc/pki/nssdb/

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
	 slots: 2 slots attached
	status: loaded

	 slot: NSS Internal Cryptographic Services
	token: NSS Generic Crypto Services

	 slot: NSS User Private Key and Certificate Services
	token: NSS Certificate DB

  2. p11-kit-trust
	library name: /usr/lib64/pkcs11/p11-kit-trust.so
	 slots: 2 slots attached
	status: loaded

	 slot: /etc/pki/ca-trust/source
	token: System Trust

	 slot: /usr/share/pki/ca-trust-source
	token: Default Trust

  3. OpenSC PKCS #11 Module
	library name: /usr/lib64/pkcs11/opensc-pkcs11.so
	 slots: 2 slots attached
	status: loaded

	 slot: Virtual hotplug slot
	token: 

	 slot: Alcor Micro AU9540 00 00
	token: Instant EID IP9 (identification)



Not sure if I am doing something really stupid or if it's a bug in nss rather than gsd. 

I appreciate any pointers and will gladly provide more info if needed.

*** Bug 1251545 has been marked as a duplicate of this bug. ***

hm, just realized we use the nssdb sql format, so the above modutil command show contents of this. Don't know how gsd deals with this, but it works in 7.1. We have the env. variable NSS_DEFAULT_DB_TYPE set to 'sql', which should be enough to get the correct nssdb from gsd, no?

I'm not authorized to view the bug which this one has been marked a duplicate of. Could someone enlighten me what that bug is about, or maybe make it public?

Hi Adam, it was the other way around. we took an internal bug reported by QE and duplicated it to your bug since your bug is public.  The internal bug doesn't add any details you haven't already contributed.

*** Bug 1259515 has been marked as a duplicate of this bug. ***

so what's going on here is the sharing plugin in gnome-settings-daemon is using nm client api to initialize nss with insufficient flags.  then the smartcard plugin gets loaded later and its init function becomes a noop.

We can workaround this in the smartcard plugin by changing the init function it uses.

ah, great!

Quick workaround for me right now is to disable the sharing plugin in gnome-settings-daemon.

Using gnome-settings-daemon-3.14.4-8.el7 I still the issue in the bug description. This is what I am trying

1. Configure using authconfig to lock screen on smart card removal
2. Log into gnome with smartcard.
3. Remove smartcard and the screen is not locked

Thanks for the quick turnaround. I've reproduced the failure and see the problem.

I didn't notice during my own testing because I neglected to undo the workaround Adam alluded to in comment 14.

Will build fix shortly.

I just tried the new
  gnome-settings-daemon-3.14.4-9.el7
and it really fixes the issue.  The screen now locks when the card is removed and the PIN prompt is displayed when putting it back.  Cool!

Ray,

I see that the issue reported in this bug is working fine. But I see the following issue:

- Enable smartcard login
- Disable "Require smartcard for Login"
- Login using smartcard with kerberos user
- Lock the screen
- When the smartcard is not inserted, the kerberos password is prompted (no message to insert smartcard) and unlocks the screen when the password is provided.

Expected behavior is

A message is displayed to the user asking them to insert the smart card they used to login previously (Kerberos password should not be prompted)

I am marking the bug assigned, let me know if this issue is not related to this component.

yup, please file that separately against gnome-shell

Thanks, I have opened a new bug https://bugzilla.redhat.com/show_bug.cgi?id=1263759

*** Bug 1272919 has been marked as a duplicate of this bug. ***

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2157.html