Bug 246517

Summary: pam_pkcs11's NSS causing login to exit early
Product: [Fedora] Fedora Reporter: Nalin Dahyabhai <nalin>
Component: nssAssignee: Kai Engert (:kaie) (inactive account) <kengert>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: medium    
Version: rawhideCC: dwalsh, riek, rrelyea
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-07-13 11:06:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Nalin Dahyabhai 2007-07-02 19:37:25 UTC 
Description of problem:
We're looking at Dan Walsh's laptop, and it looks like the copy of netstat which
NSS is forking (he's using pam_pkcs11) is the child whose exit status is getting
reaped by login (instead of the login shell).  The result is that he's getting
logged out immediately after typing in his password.

Version-Release number of selected component (if applicable):
nss-3.11.7-4.fc8
util-linux-2.13-0.51.fc7
pam_pkcs11-0.5.3-24

How reproducible:
Intermittent, but quite frequently on this one machine.

Steps to Reproduce:
1. Enable pam_pkcs11.
2. Turn off pcscd (if it matters, I'm not sure if it does).
3. Attempt to log in using a password (i.e., without using a smart card).
  
Actual results:
Correct password is typed, user is dumped back to the login prompt.  The system
log notes a successful login, PAM session open/close and all.

Expected results:
A shell prompt.

Additional info:
Daniel's also had a similar experience with pkinit-nss and NSS -- I'll CC him on
this report.  Per bug #238893, it sounds like we can just disable the whole
start-netstat code path at build time and call it solved.
Comment 1 Kai Engert (:kaie) (inactive account) 2007-07-12 01:47:59 UTC 
This package version was supposed to include a fix that avoids netstat.
As you found out in that other bug, that fix wasn't working.

I'll build an updated nss package with the improved fix now...
Comment 2 Kai Engert (:kaie) (inactive account) 2007-07-12 03:08:16 UTC 
Can you please test nss-3.11.7-5.fc8 ?
Comment 3 Daniel Walsh 2007-07-13 11:06:59 UTC 
Confirmed.