Bug 1583836

Summary: Not able to unlock Gnome screen with SmartCard using Coolkey
Product: Red Hat Enterprise Linux 7 Reporter: Josip Vilicic <jvilicic>
Component: gdmAssignee: Ray Strode [halfline] <rstrode>
Status: CLOSED ERRATA QA Contact: Desktop QE <desktop-qa-list>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.5CC: cww, djasa, jwright, mclasen, sean, tpelka, weihao.bj
Target Milestone: rcKeywords: OtherQA
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: gnome-shell-3.28.3-12.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-31 19:38:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1727111    
Attachments:
Description Flags
/var/log/messages with GDM Debug enabled
none
SmartCard information
none
Listing of PKCS #11 Modules none

Description Josip Vilicic 2018-05-29 20:55:17 UTC 
Created attachment 1445552 [details]
/var/log/messages with GDM Debug enabled

Description of problem:
After logging in successfully, the user is not able to unlock Gnome screen with a SmartCard using Coolkey


Version-Release number of selected component (if applicable):
gdm-3.26.2.1-5.el7.x86_64
coolkey-1.1.0-37.el7.x86_64 


How reproducible:
consistent


Steps to Reproduce:
1) Configure a RHEL 7.5 server to authenticate with a SmartCard, and successfully authenticate on the console
2) Authenticate successfully with the SmartCard on the Gnome GUI
3) Lock the screen
4) Try to unlock screen


Actual results:
The box that should accept the user's PIN keeps flashing and the line under it says "Authentication error".  


Expected results:
the screen is unlocked


Additional info:
1) At first, the customer was unable to log into the GUI with the smartcard altogether, but after performing these steps, they were able to log in (but still unable to unlock the screen):
      # /bin/rm /var/cache/coolkey/*
      # logrotate -f /etc/logrotate.conf
      # systemctl restart gdm.service

      And while in the user's home directory (/home/jmulholl):
      # rm -rf .gnome2_private .gnome .gnome2 .gconf .gconfd .metacity .cache .dbus .dmrc .mission-control .thumbnails ~/.config/dconf/user
logrotate -f /etc/logrotate.conf


2) These are some of the errors we see in /var/log/messages with GDM debugging enabled:

May 25 16:45:28 nix436975 journal: JS WARNING: [resource:///org/gnome/shell/ui/modalDialog.js 218]: reference to undefined property "GdkX11Screen"
May 25 16:45:28 nix436975 journal: JS ERROR: TypeError: can't convert undefined to object#012ObjectManager<._onNameVanished@resource:///org/gnome/shell/misc/objectManager.js:241:34#012wrapper@resource:///org/gnome/gjs/modules/_legacy.js:82:22#012ObjectManager<._onManagerProxyLoaded/<@resource:///org/gnome/shell/misc/objectManager.js:191:17
May 25 16:45:28 nix436975 org.gtk.vfs.Daemon: A connection to the bus can't be made
May 25 16:45:28 nix436975 com.redhat.imsettings: [ 1527281128.424883]: IMSettings-Daemon[23745]: INFO: Release the ownership of com.redhat.imsettings
May 25 16:45:28 nix436975 com.redhat.imsettings: Exiting...
May 25 16:45:28 nix436975 com.redhat.imsettings: [ 1527281128.429624]: GLib-GIO[23745]: CRITICAL **: Error while sending AddMatch() message: The connection is closed
May 25 16:45:28 nix436975 com.redhat.imsettings: [ 1527281128.430494]: GLib-GIO[23745]: CRITICAL **: Error while sending AddMatch() message: The connection is closed
May 25 16:45:28 nix436975 org.gnome.Shell.CalendarServer: gnome-shell-calendar-server[24037]: Lost (or failed to acquire) the name org.gnome.Shell.CalendarServer - exiting
May 25 16:45:28 nix436975 com.redhat.imsettings: [ 1527281128.431358]: IMSettings-Daemon[23745]: INFO: Unloading imesttings module: qt
May 25 16:45:28 nix436975 com.redhat.imsettings: [ 1527281128.432487]: IMSettings-Daemon[23745]: INFO: Unloading imesttings module: gsettings
May 25 16:45:28 nix436975 journal: Error releasing name org.freedesktop.portal.IBus: The connection is closed
May 25 16:45:28 nix436975 com.redhat.imsettings: [ 1527281128.433306]: IMSettings-Daemon[23745]: INFO: imsettings-daemon is shut down.
May 25 16:45:28 nix436975 org.freedesktop.Tracker1: Received signal:15->'Terminated'
May 25 16:45:28 nix436975 org.freedesktop.Tracker1: OK


May 25 16:45:29 nix436975 org.a11y.atspi.Registry: SpiRegistry daemon is running with well-known name - org.a11y.atspi.Registry
May 25 16:45:29 nix436975 gnome-session-binary[24672]: DEBUG(+): Could not make systemd aware of QT_IM_MODULE=ibus environment variable: GDBus.Error:org.freedesktop.DBus.Error.Spawn.ChildExited: Process org.freedesktop.systemd1 exited with status 1
May 25 16:45:29 nix436975 gnome-session-binary[24672]: DEBUG(+): Could not make systemd aware of XMODIFIERS=@im=ibus environment variable: GDBus.Error:org.freedesktop.DBus.Error.Spawn.ChildExited: Process org.freedesktop.systemd1 exited with status 1
May 25 16:45:29 nix436975 gnome-session-binary[24672]: DEBUG(+): Could not make systemd aware of GNOME_DESKTOP_SESSION_ID=this-is-deprecated environment variable: GDBus.Error:org.freedesktop.DBus.Error.Spawn.ChildExited: Process org.freedesktop.systemd1 exited with status 1
May 25 16:45:29 nix436975 gnome-session-binary[24672]: DEBUG(+): Could not make systemd aware of XDG_MENU_PREFIX=gnome- environment variable: GDBus.Error:org.freedesktop.DBus.Error.Spawn.ChildExited: Process org.freedesktop.systemd1 exited with status 1
May 25 16:45:29 nix436975 gnome-session-binary[24672]: DEBUG(+): Using systemd for session tracking
May 25 16:45:29 nix436975 gnome-session-binary[24672]: DEBUG(+): GsmManager: setting client store 0x1b89e50
May 25 16:45:29 nix436975 gnome-session-binary[24672]: DEBUG(+): Could not make systemd aware of SESSION_MANAGER=local/unix:@/tmp/.ICE-unix/24672,unix/unix:/tmp/.ICE-unix/24672 environment variable: GDBus.Error:org.freedesktop.DBus.Error.Spawn.ChildExited: Process org.freedesktop.systemd1 exited with status 1
May 25 16:45:29 nix436975 gnome-session-binary[24672]: DEBUG(+): GsmXsmpServer: SESSION_MANAGER=local/unix:@/tmp/.ICE-unix/24672,unix/unix:/tmp/.ICE-unix/24672
May 25 16:45:29 nix436975 gnome-session-binary[24672]: DEBUG(+): emitting SessionIsActive
May 25 16:45:29 nix436975 gnome-session-binary[24672]: DEBUG(+): fill: *** Getting session 'gnome'
May 25 16:45:29 nix436975 gnome-session-binary[24672]: DEBUG(+): fill: *** Looking if /var/lib/gdm/.config/gnome-session/sessions/gnome.session is a valid session file
May 25 16:45:29 nix436975 gnome-session-binary[24672]: DEBUG(+): Cannot use session '/var/lib/gdm/.config/gnome-session/sessions/gnome.session': non-existing or invalid file.
May 25 16:45:29 nix436975 gnome-session-binary[24672]: DEBUG(+): fill: *** Looking if /etc/xdg/gnome-session/sessions/gnome.session is a valid session file
May 25 16:45:29 nix436975 gnome-session-binary[24672]: DEBUG(+): Cannot use session '/etc/xdg/gnome-session/sessions/gnome.session': non-existing or invalid file.
May 25 16:45:29 nix436975 gnome-session-binary[24672]: DEBUG(+): fill: *** Looking if /usr/share/gdm/greeter/gnome-session/sessions/gnome.session is a valid session file
May 25 16:45:29 nix436975 gnome-session-binary[24672]: DEBUG(+): Cannot use session '/usr/share/gdm/greeter/gnome-session/sessions/gnome.session': non-existing or invalid file.
May 25 16:45:29 nix436975 gnome-session-binary[24672]: DEBUG(+): fill: *** Looking if /usr/local/share/gnome-session/sessions/gnome.session is a valid session file
May 25 16:45:29 nix436975 gnome-session-binary[24672]: DEBUG(+): Cannot use session '/usr/local/share/gnome-session/sessions/gnome.session': non-existing or invalid file.
May 25 16:45:29 nix436975 gnome-session-binary[24672]: DEBUG(+): fill: *** Looking if /usr/share/gnome-session/sessions/gnome.session is a valid session file
May 25 16:45:29 nix436975 gnome-session-binary[24672]: DEBUG(+): fill: *** Checking required components


May 25 16:45:42 nix436975 gnome-session-binary[24672]: DEBUG(+): GsmManager: unable to find application for client - not restarting


May 25 16:45:42 nix436975 gdm: Failed to remove greeter program access to the display. Trying to proceed.
May 25 16:45:43 nix436975 com.redhat.imsettings: [ 1527281143.062934]: IMSettings-Daemon[25077]: INFO: Starting imsettings-daemon...
May 25 16:45:43 nix436975 com.redhat.imsettings: [ 1527281143.063927]: IMSettings-Daemon[25077]: INFO:   [HOME=/home/jmulholl/.config/imsettings]
May 25 16:45:43 nix436975 com.redhat.imsettings: [ 1527281143.064559]: IMSettings-Daemon[25077]: INFO:   [XINPUTRCDIR=/etc/X11/xinit/]
May 25 16:45:43 nix436975 com.redhat.imsettings: [ 1527281143.065214]: IMSettings-Daemon[25077]: INFO:   [XINPUTDIR=/etc/X11/xinit/xinput.d/]
May 25 16:45:43 nix436975 com.redhat.imsettings: [ 1527281143.066753]: IMSettings-Daemon[25077]: INFO:   [MODULEDIR=/usr/lib64/imsettings]
May 25 16:45:43 nix436975 com.redhat.imsettings: [ 1527281143.068080]: IMSettings-Daemon[25077]: INFO:   [MODULES=gsettings, qt]
May 25 16:45:43 nix436975 org.gtk.vfs.Daemon: fusermount: failed to open mountpoint for reading: Permission denied


May 25 16:45:45 nix436975 dbus[1511]: [system] Activating via systemd: service name='org.freedesktop.Avahi' unit='dbus-org.freedesktop.Avahi.service'
May 25 16:45:45 nix436975 dbus[1511]: [system] Activation via systemd failed for unit 'dbus-org.freedesktop.Avahi.service': Unit not found.
May 25 16:45:45 nix436975 journal: Failed to connect to avahi service: Daemon not running
May 25 16:45:45 nix436975 dbus[1511]: [system] Successfully activated service 'org.freedesktop.GeoClue2'
May 25 16:45:45 nix436975 systemd: Started Location Lookup Service.
May 25 16:45:45 nix436975 journal: Failed to register AuthenticationAgent
May 25 16:45:45 nix436975 org.gtk.vfs.AfcVolumeMonitor: Volume monitor alive
May 25 16:45:45 nix436975 spice-vdagent[25496]: Cannot access vdagent virtio channel /dev/virtio-ports/com.redhat.spice.0
May 25 16:45:45 nix436975 gnome-session: gnome-session-binary[24939]: WARNING: App 'spice-vdagent.desktop' exited with code 1
May 25 16:45:45 nix436975 gnome-session-binary[24939]: WARNING: App 'spice-vdagent.desktop' exited with code 1
May 25 16:45:45 nix436975 journal: Error setting up rfkill: Could not open RFKILL control device, please verify your installation
May 25 16:45:45 nix436975 org.gnome.SettingsDaemon.Mouse.desktop: error: XDG_RUNTIME_DIR not set in the environment.
May 25 16:45:45 nix436975 org.gnome.SettingsDaemon.Wacom.desktop: error: XDG_RUNTIME_DIR not set in the environment.
May 25 16:45:45 nix436975 journal: Loading NVML: libnvidia-ml.so: cannot open shared object file: No such file or directory
May 25 16:45:45 nix436975 journal: Failed to get current display configuration state: GDBus.Error:org.freedesktop.DBus.Error.NameHasNoOwner: Name "org.gnome.Mutter.DisplayConfig" does not exist
May 25 16:45:45 nix436975 org.gnome.SettingsDaemon.Keyboard.desktop: error: XDG_RUNTIME_DIR not set in the environment.


May 25 16:45:45 nix436975 journal: Failed to get password expiration policy for user: GDBus.Error:org.freedesktop.Accounts.Error.NotSupported: account expiration policy unknown to accounts service
May 25 16:45:45 nix436975 kernel: xhci_hcd 0000:00:14.0: WARN Event TRB for slot 1 ep 4 with no TDs queued?
May 25 16:45:45 nix436975 journal: Unable to inhibit keypresses: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: Permission denied
May 25 16:45:45 nix436975 journal: failed to obtain org.freedesktop.color-manager.create-profile auth


May 25 16:45:49 nix436975 journal: g_slice_set_config: assertion 'sys_page_size == 0' failed


May 25 16:46:05 nix436975 journal: JS ERROR: Failed to open reauthentication channel: Gio.DBusError: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: No session available#012ShellUserVerifier<._reauthenticationChannelOpened@resource:///org/gnome/shell/gdm/util.js:364:34#012wrapper@resource:///org/gnome/gjs/modules/_legacy.js:82:22
Comment 11 Pavlin Georgiev 2019-09-12 09:43:59 UTC 
TEST SETUP
Distro: RHEL-7.8-20190905.0
Component version:
  gnome-shell-3.28.3-16.el7
  coolkey-1.1.0-40.el7

# lsusb
ID 072f:90cc Advanced Card Systems, Ltd ACR38 SmartCard Reader


TEST PROCEDURE
1. Follow instructions from:
   Red Hat Enterprise Linux > 7 > System-Level Authentication Guide > 4.4. Smart Cards
   https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/smartcards#authconfig-smartcards

2. Follow instructions for testing SmartCards from TCMS plan:
   https://tcms.engineering.redhat.com/case/172836/?from_plan=18015#attachment

3. Use a security certificate, which is in the test case
   in section Attachments: IdmqeLabEngBosRedhatCom_2015-2023.pem

4. Restart GDM.
5. Try to log in.

RESULT
GDM requires PIN. I enter the correct PIN, but I cannot log in.
Comment 12 Pavlin Georgiev 2019-09-12 09:45:23 UTC 
Created attachment 1614418 [details]
SmartCard information
Comment 13 Pavlin Georgiev 2019-09-12 09:46:47 UTC 
Created attachment 1614419 [details]
Listing of PKCS #11 Modules
Comment 14 sean@alderhost.net 2019-09-22 01:30:04 UTC 
I have no additional data to provide, but I have about 20 desktops that exhibit similar behavior after update from 7.6 to 7.7.
Comment 15 sean@alderhost.net 2019-09-23 15:36:33 UTC 
It appears the problem my systems are experiencing is related to the update to opensc-0.19.0.  This version of opensc replaces /etc/opensc-x86_64.conf with a symlink to /etc/opensc.conf, unless /etc/opensc-x86_64.conf has been modified and in that case, it creates an opensc-x86_64.conf.rpmnew.

The supplied opensc.conf contains very little information and configuration based on the differences with the opensc-x86_64.conf from the previous version in 7.6.  I have made an effort, which I'm not sure if it's entirely correct to port my config customization to the /etc/opensc.conf.  It seems I am not able to get past the gnome-shell screen locker w/ smartcard authentication after these changes.
Comment 16 David Jaša 2019-10-14 16:05:01 UTC 
It works using:
coolkey-1.1.0-40.el7.x86_64, or:
opensc-0.19.0-3.el7.x86_64
pam_pkcs11-0.6.2-30.el7.x86_64
gdm-3.28.2-18.el7.x86_64
gnome-shell-3.28.3-18.el7.x86_64

Getting it working however took some while with no particular change clear that would block it. I suspected:
- coolkey vs. opensc in /etc/pam_pkcs11/pam_pkcs11.conf. At the end of the day, both middlewares work
- certificates on card. The card is old and certs are only 1024b RSA. I suspected they're refused by crypto policies but they're not

What seems to have made it work:
- the CA had to be imported to /etc/pki/nssdb
- the module specified in /etc/pam_pkcs11/pam_pkcs11.conf has to be loaded in nssdb (modutil -dbdir /etc/pki/nssdb -list), p11-kit magic doesn't seem to work even though p11-kit list-modules shows card certificates info just fine
Comment 18 errata-xmlrpc 2020-03-31 19:38:49 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:1021
Comment 19 Red Hat Bugzilla 2023-09-15 00:09:42 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days