Red Hat Bugzilla – Bug 1299981
Smartcard: Lock-on-remove only works on 2nd and subsequent removals with Gemalto/Safenet eToken 4100 and Safenet Authentication Client
Last modified: 2017-07-03 11:04:42 EDT
Description of problem:
GNOME desktop does not lock on the first removal of the smartcard
Reinsert and then remove again locks the screen
all subsequent removals are also fine.
Screen lock on smartcard removal should work first time and every time.
Version-Release number of selected component (if applicable):
Freshly installed RHEL 7.2 physical machine, with all latest updates
Safenet Authentication Client 9.0.43.
customer tried on physical and virtual environments, and on CentOS
Steps to Reproduce:
1. Configure rhel7.2 system for smartcard authentication with Safenet Authentication Client
2. Configure system to lock the session upon removal of smartcard
3. Login using smartcard
4. After logging in to session, remove smartcard
Screen does not get locked upon removal of smartcard (first time)
Re-insert the card and remove it again, the screen gets locked.
and continues to work on subsequent attempts within the same session.
Screen lock upon smartcard removal should work first time and every time.
currently marking the bz against gnome-settings-daemon, I am not sure that is actually the culprit here.
Asked customer to capture g-s-d debug logs by running /usr/libexec/gnome-settings-daemon -r --debug after login
but the session gets locked immediately upon running above command and no problem observed after that.
Created attachment 1118351 [details]
gnome-settings-daemon in debug mode
if the user waits 60 seconds before pulling the card out the first time does it work?
I see this in the log:
Jan 18 21:06:37 rhel72 gnome-session: (gnome-settings-daemon:4182): smartcard-plugin-WARNING **: Couldn't lock screen: Cannot invoke method; proxy is for a well-known name without an owner and proxy was constructed with the G_DBUS_PROXY_FLAGS_DO_NOT_AUTO_START flag
That makes me think the shell isn't fully started yet.
Customer tried wait for 5 minutes after login and then pulled the card. Still the same behaviour
do you have the log from the attempt after waiting 5 minutes ?
Can you have them run
$ gdbus call --session --dest org.freedesktop.DBus --object-path /org/freedesktop/DBus --method org.freedesktop.DBus.ListNames
and post the output ?
thanks, can you get the reporter to install debuginfo packages and run gstack a few times in a row on the worker process that's using a 100% cpu ?
Also the output of ls -l /proc/WORKERPID/fd
As pointed out in comment 9, the main thing shown in the strace is select returning over and over again with fd 17 readable. the select call has a 200ms timeout, but it returns immediately because the readable fd is never read from I guess. It's probably a driver bug, but getting the gstack backtraces would be useful to confirm. Of course if the session got started at all, the smartcard driver code couldn't be getting dispatched anymore, so this is a little mysterious.
Created attachment 1131961 [details]
gstack and procfd
all 5 traces show it sitting in poll, so i guess it's not dispatching from poll for very long each time it wakes up. We do see libeTPkcs11 has a couple of dedicated threads it's using. Those threads should have been long destroyed when the pam module finished authentication (pam_pkcs11 calls SECMOD_UnloadUserModule / SECMOD_DestroyModule which should lead to the pkcs11 C_Finalize() call getting called. The driver should clean up any threads then). This really looks like a driver problem, and the driver is closed source, so we can't really investigate much beyond that.
Our "supported" smart card configuration are coolkey supported cards. I don't think there's much we can do here but ask the customer to reach out to their smartcard vendor.