Bug 1796190

Summary: backport smart card insertion fix
Product: Red Hat Enterprise Linux 8 Reporter: Brandon Clark <brclark>
Component: gnome-settings-daemonAssignee: Ray Strode [halfline] <rstrode>
Status: MODIFIED --- QA Contact: Michael Boisvert <mboisver>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.1CC: alanm, amike, brclark, casantos, hdegoede, jwright, mkolbas, rstrode, sbarcomb, sbose, spurrier, tpelka
Target Milestone: rcKeywords: OtherQA, Triaged
Target Release: 8.0Flags: mboisver: needinfo? (spurrier)
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: OtherQA
Fixed In Version: gnome-settings-daemon-3.32.0-20.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Brandon Clark 2020-01-29 19:41:30 UTC 
Description of problem:
GDM does not automatically prompt for password when smart card inserted. After inserting smart card, you must key in the user name before it reads the smart card.

Version-Release number of selected component (if applicable):
- Red Hat Enterprise Linux 8.1
- sssd-common-pac-2.2.0-19.el8.x86_64
- sssd-krb5-2.2.0-19.el8.x86_64
- pcsc-lite-1.8.23-3.el8.x86_64
- sssd-2.2.0-19.el8.x86_64
- sssd-nfs-idmap-2.2.0-19.el8.x86_64
- gdm-3.28.3-22.el8.x86_64
- sssd-ldap-2.2.0-19.el8.x86_64
- pcsc-lite-devel-1.8.23-3.el8.x86_64
- pcsc-lite-libs-1.8.23-3.el8.x86_64
- sssd-krb5-common-2.2.0-19.el8.x86_64
- sssd-ipa-2.2.0-19.el8.x86_64
- sssd-kcm-2.2.0-19.el8.x86_64
- pcsc-lite-ccid-1.4.29-3.el8.x86_64
- sssd-client-2.2.0-19.el8.x86_64
- sssd-proxy-2.2.0-19.el8.x86_64
- sssd-common-2.2.0-19.el8.x86_64
- sssd-ad-2.2.0-19.el8.x86_64
- python3-sssdconfig-2.2.0-19.el8.noarch

How reproducible:
Consistently.

Steps to Reproduce:
Unable to reproduce using CAC card on front-line due to lack resources. A backline engineer was able to reproduce mostly using Yubikey.

Actual results:
When smart-card is inserted, user must be manually chosen before prompt is given.

Expected results:
When smart-card is inserted, user is detected and password prompt is given.

Additional info:
cat /etc/authselect/dconf-db
# Generated by authselect on Thu Nov 21 10:48:15 2019
# Do not modify this file manually.

[org/gnome/login-screen]                                                                                                                                                                                             
enable-smartcard-authentication=true                                                                                                                                                                                 
enable-fingerprint-authentication=false                                                                                                                                                                              
enable-password-authentication=false

smart card readers in use:
Bus 002 Device 023: ID 076b:3022 OmniKey AG CardMan 3021
Bus 002 Device 024: ID 08e6:3437 Gemalto (was Gemplus) GemPC Twin SmartCard Reader
Bus 002 Device 025: ID 1050:0406 Yubico.com Yubikey 4 U2F+CCID
Bus 002 Device 026: ID 04e6:5814 SCM Microsystems, Inc.
Bus 002 Device 027: ID 058f:9540 Alcor Micro Corp. AU9540 Smartcard Reader


/etc/pam.d/smartcard-auth:

auth        required                                     pam_env.so
auth        sufficient                                    pam_sss.so forward_pass allow_missing_name
auth        required                                     pam_deny.so

account     required                                    pam_unix.so
account     sufficient                                   pam_localuser.so
account     sufficient                                   pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required                                    pam_permit.so

session     optional                                     pam_keyinit.so revoke
session     required                                     pam_limits.so
-session     optional                                    pam_systemd.so
session     optional                                     pam_oddjob_mkhomedir.so umask=0077
session     [success=1 default=ignore]       pam_succeed_if.so service in crond quiet use_uid
session     required                                     pam_unix.so
session     optional                                      pam_sss.so
Comment 27 Michael Boisvert 2023-07-26 14:42:54 UTC 
Scott, could you please have the customer test: gnome-settings-daemon-3.32.0-20.el8.

https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=2610998
Comment 30 Michael Boisvert 2023-08-07 22:54:53 UTC 
I am extending the ITM of this bug as far as possible in order to hopefully get customer testing. Otherwise, it will be verified as sanity only.