Bug 1299981 - Smartcard: Lock-on-remove only works on 2nd and subsequent removals with Gemalto/Safenet eToken 4100 and Safenet Authentication Client [NEEDINFO]
Smartcard: Lock-on-remove only works on 2nd and subsequent removals with Gema...
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: gnome-settings-daemon (Show other bugs)
All Linux
medium Severity medium
: rc
: ---
Assigned To: Rui Matos
Desktop QE
Depends On:
Blocks: 1203710
  Show dependency treegraph
Reported: 2016-01-19 11:27 EST by Ashish Shah
Modified: 2017-07-03 11:04 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2016-11-15 17:49:46 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
ashishks: needinfo? (rstrode)

Attachments (Terms of Use)
gnome-settings-daemon in debug mode (70.32 KB, text/plain)
2016-01-25 23:29 EST, Ashish Shah
no flags Details
gstack and procfd (1.69 KB, application/x-bzip)
2016-03-01 09:53 EST, Ashish Shah
no flags Details

  None (edit)
Description Ashish Shah 2016-01-19 11:27:04 EST
Description of problem:

GNOME desktop does not lock on the first removal of the smartcard
Reinsert and then remove again locks the screen
all subsequent removals are also fine.
Screen lock on smartcard removal should work first time and every time.

Version-Release number of selected component (if applicable):
Freshly installed RHEL 7.2 physical machine, with all latest updates
Safenet Authentication Client 9.0.43.

How reproducible:
customer tried on physical and virtual environments, and on CentOS

Steps to Reproduce:
1. Configure rhel7.2 system for smartcard authentication with Safenet Authentication Client
2. Configure system to lock the session upon removal of smartcard
3. Login using smartcard
4. After logging in to session, remove smartcard

Actual results:
Screen does not get locked upon removal of smartcard (first time)
Re-insert the card and remove it again, the screen gets locked.
and continues to work on subsequent attempts within the same session.

Expected results:
Screen lock upon smartcard removal should work first time and every time.

Additional info:
currently marking the bz against gnome-settings-daemon, I am not sure that is actually the culprit here.
Asked customer to capture g-s-d debug logs by running  /usr/libexec/gnome-settings-daemon -r --debug after login 
but the session gets locked immediately upon running above command and no problem observed after that.
Comment 3 Ashish Shah 2016-01-25 23:29 EST
Created attachment 1118351 [details]
gnome-settings-daemon in debug mode
Comment 4 Ray Strode [halfline] 2016-02-01 16:52:34 EST
if the user waits 60 seconds before pulling the card out the first time does it work?

I see this in the log:

Jan 18 21:06:37 rhel72 gnome-session: (gnome-settings-daemon:4182): smartcard-plugin-WARNING **: Couldn't lock screen: Cannot invoke method; proxy is for a well-known name without an owner and proxy was constructed with the G_DBUS_PROXY_FLAGS_DO_NOT_AUTO_START flag

That makes me think the shell isn't fully started yet.
Comment 5 Ashish Shah 2016-02-04 07:56:34 EST
Customer tried wait for 5 minutes after login and then pulled the card. Still the same behaviour
Comment 6 Ray Strode [halfline] 2016-02-04 10:17:51 EST
do you have the log from the attempt after waiting 5 minutes ?

Can you have them run 

$ gdbus call --session --dest org.freedesktop.DBus --object-path /org/freedesktop/DBus --method org.freedesktop.DBus.ListNames

and post the output ?
Comment 11 Ray Strode [halfline] 2016-02-19 14:45:50 EST
thanks, can you get the reporter to install debuginfo packages and run gstack a few times in a row on the worker process that's using a 100% cpu ?

Also the output of ls -l /proc/WORKERPID/fd

As pointed out in comment 9, the main thing shown in the strace is select returning over and over again with fd 17 readable.  the select call has a 200ms timeout, but it returns immediately because the readable fd is never read from I guess.  It's probably a driver bug, but getting the gstack backtraces would be useful to confirm. Of course if the session got started at all, the smartcard driver code couldn't be getting dispatched anymore, so this is a little mysterious.
Comment 12 Ashish Shah 2016-03-01 09:53 EST
Created attachment 1131961 [details]
gstack and procfd
Comment 15 Ray Strode [halfline] 2016-03-24 15:47:07 EDT
all 5 traces show it sitting in poll, so i guess it's not dispatching from poll for very long each time it wakes up.  We do see libeTPkcs11 has a couple of dedicated threads it's using.  Those threads should have been long destroyed when the pam module finished authentication (pam_pkcs11 calls SECMOD_UnloadUserModule / SECMOD_DestroyModule which should lead to the pkcs11 C_Finalize() call getting called.  The driver should clean up any threads then). This really looks like a driver problem, and the driver is closed source, so we can't really investigate much beyond that.

Our "supported" smart card configuration are coolkey supported cards. I don't think there's much we can do here but ask the customer to reach out to their smartcard vendor.

Note You need to log in before you can comment on or make changes to this bug.