Bug 1005334 - Unable to login using smart card after adding the coolkey module to /etc/pki/nssdb
Summary: Unable to login using smart card after adding the coolkey module to /etc/pki/...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: coolkey
Version: 6.5
Hardware: i386
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Bob Relyea
QA Contact: Asha Akkiangady
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-09-06 16:39 UTC by Roshni
Modified: 2013-11-21 23:06 UTC (History)
3 users (show)

Fixed In Version: coolkey-1.1.0-30.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-11-21 23:06:13 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:1699 0 normal SHIPPED_LIVE coolkey bug fix and enhancement update 2013-11-20 21:52:09 UTC

Description Roshni 2013-09-06 16:39:36 UTC 
Description of problem:
Unable to login using smartcard after adding coolkey module to /etc/pki/nssdb. pklogin_finder shows an error load_pkcs11_module() failed.

Version-Release number of selected component (if applicable):
RHEL 6.5
coolkey-1.1.0-29.el6
pam_pkcs11-0.6.2-13.el6

How reproducible:
always

Steps to Reproduce:
1. Setup kerberos for smartcard login.
2. Login to RHEL 6.5 Client machine using the smart card and check if the kerberos creds can be obtained.
3. Add the coolkey module to /etc/pki/nssdb/ as follows
modutil -add "CoolKey PKCS#11 Module" -dbdir /etc/pki/nssdb -libfile /usr/lib/pkcs11/libcoolkeypk11.so
4. Logout and try to select the smartcard login option.

Actual results:
The smart card login option cannot be selected. Login as local user and execute pklogin_finder debug, fails to recognize the card with error: load_pkcs11_module() failed

Expected results:
Should be able to login using smartcard and kerberos credentials should be valid

Additional info:
Comment 2 Bob Relyea 2013-09-06 21:23:08 UTC 
The basic problem is pk11install only works with paths, not sql: or dbm: paths.
Comment 4 Roshni 2013-09-09 18:35:45 UTC 
When the build in the errata is installed, the PKCS#11 Coolkey Module is automatically added to /etc/pki/nssdb and smartcard login works fine.

If the PKCS#11 Coolkey Module is deleted and added back again, the issue described in this bug is seen (unable to login using smartcard)
Comment 5 Bob Relyea 2013-09-09 18:39:44 UTC 
Roshni, please to ls -s /etc/pki/nssdb

if pkcs11.txt does not have group other read, hand change it. There is an NSS bug against this issue.
Comment 6 Roshni 2013-09-09 20:41:42 UTC 
I changed the permission of group other to read for the file pkcs11.txt, the issue still exists.
Comment 7 Bob Relyea 2013-09-09 21:51:26 UTC 
Roshni, can you point me to your machines that are misbehaving?
Comment 9 Roshni 2013-09-16 17:13:28 UTC 
Bob,

The machine is ready, you can have a look at the issue. Let me know if you need any more information from my side.
Comment 10 Roshni 2013-09-25 19:17:36 UTC 
Coolkey seem seems to be working fine, the bug seems to be on the pam_pkcs11 component as in bug https://bugzilla.redhat.com/show_bug.cgi?id=1012082
Comment 12 Bob Relyea 2013-11-12 01:19:16 UTC 
this was ultimately not a coolkey bug, the fix was elsewhwere, so no docs needed for coolkey.
Comment 13 errata-xmlrpc 2013-11-21 23:06:13 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1699.html
Note You need to log in before you can comment on or make changes to this bug.