Bug 1816591

Summary: p11_child should have an option to skip C_WaitForSlotEvent if the PKCS#11 module does not implement it properly [rhel-8.1.0.z]
Product: Red Hat Enterprise Linux 8 Reporter: RHEL Program Management Team <pgm-rhel-tools>
Component: sssdAssignee: Alexey Tikhonov <atikhono>
Status: CLOSED ERRATA QA Contact: sssd-qe <sssd-qe>
Severity: high Docs Contact:
Priority: high    
Version: 8.0CC: aheverle, amitkuma, atikhono, grajaiya, jhrozek, lslebodn, msauton, mzidek, pbrezina, sbose, sgoveas, spoore, spurrier, toneata, tscherf
Target Milestone: rcKeywords: ZStream
Target Release: 8.0Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: sync-to-jira
Fixed In Version: sssd-2.2.0-19.el8_1.1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1718193 Environment:
Last Closed: 2020-04-07 10:56:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1718193    
Bug Blocks:    

Comment 3 Scott Poore 2020-03-25 16:15:03 UTC 
Verified.

Version ::

sssd-2.2.0-19.el8_1.1.x86_64

Results ::

First reproducing with sssd-2.0.0-43.el8_0.3.x86_64

[root@rhel8-3 ~]# authselect enable-feature with-smartcard-required

[root@rhel8-3 ~]# authselect enable-feature with-smartcard-lock-on-removal

[root@rhel8-3 ~]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd

[root@rhel8-3 ~]# systemctl restart gdm

[root@rhel8-3 ~]# tail -1 -f /var/log/secure 
...
Mar 25 11:03:20 rhel8-3 gdm-smartcard][5319]: pam_sss(gdm-smartcard:auth): User info message: Please enter smart card labeled#012 sctest (MyEID)
Mar 25 11:03:24 rhel8-3 gdm-smartcard][5329]: pam_sss(gdm-smartcard:auth): User info message: Please enter smart card labeled#012 sctest (MyEID)
Mar 25 11:03:29 rhel8-3 gdm-smartcard][5339]: pam_sss(gdm-smartcard:auth): User info message: Please enter smart card labeled#012 sctest (MyEID)
Mar 25 11:03:33 rhel8-3 gdm-smartcard][5349]: pam_sss(gdm-smartcard:auth): User info message: Please enter smart card labeled#012 sctest (MyEID)
Mar 25 11:03:37 rhel8-3 gdm-smartcard][5359]: pam_sss(gdm-smartcard:auth): User info message: Please enter smart card labeled#012 sctest (MyEID)
Mar 25 11:03:42 rhel8-3 gdm-smartcard][5377]: pam_sss(gdm-smartcard:auth): User info message: Please enter smart card labeled#012 sctest (MyEID)
Mar 25 11:03:46 rhel8-3 gdm-smartcard][5396]: pam_sss(gdm-smartcard:auth): User info message: Please enter smart card labeled#012 sctest (MyEID)

When Screensaver appears trigger login and I see:

Please enter smart card labeled...
Sorry that didn't work, please try again

looping every few seconds.

Now verifying after upgrading to:  sssd-2.2.0-19.el8_1.1.x86_64

[root@rhel8-3 ~]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd

[root@rhel8-3 ~]# systemctl restart gdm

[root@rhel8-3 ~]# tail -f /var/log/secure 
...
 Mar 25 11:10:59 rhel8-3 gdm-smartcard][7815]: pam_sss(gdm-smartcard:auth): User info message: Please enter smart card labeled#012 sctest (MyEID)


In the gnome session, I pulled the card and the screen locked.  I slide up to access login and it prompts:

Please enter smart card labeled
 sctest (MyEID)

I see no loop and only one error message in /var/log/secure.

I reinsert the card, it prompts for pin and I log back in and see this in secure:

Mar 25 11:13:31 rhel8-3 gdm-smartcard][7870]: pam_sss(gdm-smartcard:auth): authentication success; logname= uid=0 euid=0 tty=/dev/tty2 ruser= rhost= user=ipauser1
Comment 9 errata-xmlrpc 2020-04-07 10:56:39 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1377