Bug 770127

Summary: RHEL6.2 guest can not see any certificates on the token passed through via spice
Product: Red Hat Enterprise Linux 6 Reporter: David Jaša <djasa>
Component: spice-serverAssignee: Alon Levy <alevy>
Status: CLOSED DUPLICATE QA Contact: Desktop QE <desktop-qa-list>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.3CC: acathrow, cfergeau, dblechte, mkenneth, rrelyea
Target Milestone: alpha   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-03-07 18:39:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
pcscd log from client machine
none
spicec.log (with SPICEC_LOG_LEVEL=0)
none
qemu-kvm log (with smartcard-related debug levels set to 4)
none
pcscd log from guest machine
none
guest pcscd and pklogin_finder blended log
none
spicec.log (with SPICEC_LOG_LEVEL=0) none

Description David Jaša 2011-12-23 13:53:14 UTC 
Description of problem:
SSIA. The client system is configured properly, the very same card e.g. logs users in, but in the guest system, pcscd sees the card but not certs stored there.

Version-Release number of selected component (if applicable):
pcsc-lite-1.5.2-6.el6.x86_64 (both client and guest)
qemu-kvm-0.12.1.2-2.209.el6_2.1.x86_64
spice-client-0.8.2-7.el6.x86_64
spice-server-0.8.2-5.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1. configure client system to be able to work with smartcard
2. configure guest system the same way
3. connect from client to guest using 'spicec <other_options> --smartcard'
4. run 'pklogin_finder debug' in the guest
  
Actual results:
no token is shown

Expected results:
token on the device is shown

Additional info:
'pklogin_finder debug' output:
$ pklogin_finder debug
DEBUG:pam_config.c:238: Using config file /etc/pam_pkcs11/pam_pkcs11.conf
DEBUG:pkcs11_lib.c:182: Initializing NSS ...
DEBUG:pkcs11_lib.c:192: Initializing NSS ... database=/etc/pki/nssdb
DEBUG:pkcs11_lib.c:210: ...  NSS Complete
DEBUG:pklogin_finder.c:71: loading pkcs #11 module...
DEBUG:pkcs11_lib.c:222: Looking up module in list
DEBUG:pkcs11_lib.c:225: modList = 0x187c6a0 next = 0x188df30

DEBUG:pkcs11_lib.c:226: dllName= <null> 

DEBUG:pkcs11_lib.c:225: modList = 0x188df30 next = 0x0

DEBUG:pkcs11_lib.c:226: dllName= libcoolkeypk11.so 

DEBUG:pklogin_finder.c:79: initialising pkcs #11 module...
DEBUG:pklogin_finder.c:95: no token available

all other stuff in attachments
Comment 1 David Jaša 2011-12-23 13:57:42 UTC 
Created attachment 549349 [details]
pcscd log from client machine
Comment 2 David Jaša 2011-12-23 13:58:35 UTC 
Created attachment 549350 [details]
spicec.log (with SPICEC_LOG_LEVEL=0)
Comment 3 David Jaša 2011-12-23 13:59:23 UTC 
Created attachment 549351 [details]
qemu-kvm log (with smartcard-related debug levels set to 4)
Comment 4 David Jaša 2011-12-23 14:00:05 UTC 
Created attachment 549352 [details]
pcscd log from guest machine
Comment 5 Alon Levy 2011-12-29 09:02:11 UTC 
Hi Robert,

 Can you take a look?

Alon
Comment 6 David Jaša 2012-01-06 17:08:22 UTC 
Created attachment 551209 [details]
guest pcscd and pklogin_finder blended log

Two more logs, just from time when "pklogin_finder debug" is run. This one is blended guest pcscd and pklogin (pklogin output redirected to pcscd's console).

The other one is spicec output with maximum log level.

[lines in brackets like this denote my description of event]
Comment 7 David Jaša 2012-01-06 17:09:06 UTC 
Created attachment 551210 [details]
spicec.log (with SPICEC_LOG_LEVEL=0)
Comment 8 Bob Relyea 2012-02-29 02:14:14 UTC 
David, do you have a guest set up that I can log into and test?

bob
Comment 9 David Jaša 2012-03-01 18:12:16 UTC 
(In reply to comment #8)
> David, do you have a guest set up that I can log into and test?
> 
> bob

I've prepared a guest for you and I've emailed details of it to you directly. If it is not usable to you, just create a plain RHEL 6.2 VM on top of plain RHEL 6.2 host yourself.
Comment 10 Bob Relyea 2012-03-06 01:40:17 UTC 
Thanks David.

Where the Cards you were testing with have 1 or 2 certificates on them? If so then this is probably a dup of bug 700907. The virtual machine you set up for me now has development built version of coolkey that should fix the problem if you want to verify that your card now works.

If it does work, you can close this bug as a dup of 700907. I was able to see 3 certificate cards fine without the patched version of coolkey, but I was using the spice client on fedora 15.

spice-client-0.8.1-1.fc15.x86_64


bob
Comment 11 David Jaša 2012-03-07 18:39:51 UTC 
Bob, I could make the smartcard auth work in the machine with your coolkey so I'm marking as dupe as requested.

*** This bug has been marked as a duplicate of bug 700907 ***