Bug 1737555

Summary: pam_pkcs11 error trying to login to the graphical console of the hosted-engine VM
Product: Red Hat Enterprise Virtualization Manager Reporter: Simone Tiraboschi <stirabos>
Component: rhvm-applianceAssignee: Yuval Turgeman <yturgema>
Status: CLOSED ERRATA QA Contact: Vojtech Vagner <vvagner>
Severity: medium Docs Contact:
Priority: high    
Version: 4.3.5CC: amashah, dfediuck, emarcus, lleistne, pnovotny, yturgema
Target Milestone: ovirt-4.3.6Keywords: Rebase, ZStream
Target Release: 4.3.6   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: rhvm-appliance-4.3-20190828.0.el7 Doc Type: If docs needed, set a value
Doc Text:
When trying to log in to a Self-Hosted Engine virtual machine using a VNC or SPICE console, an error regarding smart card authorization is displayed. With this release, the log in process completes without errors.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-10-14 09:00:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Node RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
issue none

Description Simone Tiraboschi 2019-08-05 16:07:59 UTC 
Description of problem:
Trying to login to the HE VM graphical console, spice or VNC, the user receives a:
  ERROR:pam_pkcs11,c:318 load_pkcs11_module() failed:
as soon as he type something at the login prompt.

This doesn't happen connecting over SSH to the same VM.

This happens in FIPS but also not in FIPS mode.

Version-Release number of selected component (if applicable):
4.3 June 05 ova appliance

How reproducible:
?

Steps to Reproduce:
1. deploy HE
2. try to login to the engine VM via VNC or SPICE console
3.

Actual results:
  ERROR:pam_pkcs11,c:318 load_pkcs11_module() failed:

Expected results:
No PAM errors

Additional info:
Comment 2 Simone Tiraboschi 2019-08-05 16:13:05 UTC 
Created attachment 1600657 [details]
issue
Comment 3 Simone Tiraboschi 2019-08-05 16:15:43 UTC 
Additional info:
it shows a red error line but with the right login and the right password the user can still successfully login.

pam_pkcs11.x86_64 0.6.2-30.el7 is installed on the engine VM.
Comment 4 Simone Tiraboschi 2019-08-05 16:20:07 UTC 
On journalctl:

ago 05 18:18:58 enginevm.localdomain login[14587]: pam_pkcs11(login:auth): load_pkcs11_module() failed:
ago 05 18:19:02 enginevm.localdomain systemd-logind[1436]: New session 87 of user root.
ago 05 18:19:02 enginevm.localdomain systemd[1]: Started Session 87 of user root.
ago 05 18:19:02 enginevm.localdomain login[14587]: pam_unix(login:session): session opened for user root by LOGIN(uid=0)
ago 05 18:19:02 enginevm.localdomain login[14587]: ROOT LOGIN ON tty1
Comment 6 Vojtech Vagner 2019-09-11 09:50:26 UTC 
Tried it on an HE with ovirt-engine-4.3.6.5-0.1 and was able to log in succesfully without any PAM error, therefore verified.
Comment 11 errata-xmlrpc 2019-10-14 09:00:48 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3035