1299981 – Smartcard: Lock-on-remove only works on 2nd and subsequent removals with Gemalto/Safenet eToken 4100 and Safenet Authentication Client

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1299981 - Smartcard: Lock-on-remove only works on 2nd and subsequent removals with Gemalto/Safenet eToken 4100 and Safenet Authentication Client

Summary: Smartcard: Lock-on-remove only works on 2nd and subsequent removals with Gema...

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	gnome-settings-daemon
Sub Component:
Version:	7.2
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Rui Matos
QA Contact:	Desktop QE
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1203710
TreeView+	depends on / blocked

Reported:	2016-01-19 16:27 UTC by Ashish Shah
Modified:	2019-11-14 07:20 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-11-15 22:49:46 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
gnome-settings-daemon in debug mode (70.32 KB, text/plain) 2016-01-26 04:29 UTC, Ashish Shah	no flags	Details
gstack and procfd (1.69 KB, application/x-bzip) 2016-03-01 14:53 UTC, Ashish Shah	no flags	Details
View All

Description Ashish Shah 2016-01-19 16:27:04 UTC

Description of problem:

GNOME desktop does not lock on the first removal of the smartcard
Reinsert and then remove again locks the screen
all subsequent removals are also fine.
Screen lock on smartcard removal should work first time and every time.


Version-Release number of selected component (if applicable):
Freshly installed RHEL 7.2 physical machine, with all latest updates
Safenet Authentication Client 9.0.43.


How reproducible:
Always
customer tried on physical and virtual environments, and on CentOS

Steps to Reproduce:
1. Configure rhel7.2 system for smartcard authentication with Safenet Authentication Client
2. Configure system to lock the session upon removal of smartcard
3. Login using smartcard
4. After logging in to session, remove smartcard

Actual results:
Screen does not get locked upon removal of smartcard (first time)
Re-insert the card and remove it again, the screen gets locked.
and continues to work on subsequent attempts within the same session.

Expected results:
Screen lock upon smartcard removal should work first time and every time.

Additional info:
currently marking the bz against gnome-settings-daemon, I am not sure that is actually the culprit here.
Asked customer to capture g-s-d debug logs by running  /usr/libexec/gnome-settings-daemon -r --debug after login 
but the session gets locked immediately upon running above command and no problem observed after that.

Comment 3 Ashish Shah 2016-01-26 04:29:42 UTC

Created attachment 1118351 [details]
gnome-settings-daemon in debug mode

Comment 4 Ray Strode [halfline] 2016-02-01 21:52:34 UTC

if the user waits 60 seconds before pulling the card out the first time does it work?

I see this in the log:

Jan 18 21:06:37 rhel72 gnome-session: (gnome-settings-daemon:4182): smartcard-plugin-WARNING **: Couldn't lock screen: Cannot invoke method; proxy is for a well-known name without an owner and proxy was constructed with the G_DBUS_PROXY_FLAGS_DO_NOT_AUTO_START flag

That makes me think the shell isn't fully started yet.

Comment 5 Ashish Shah 2016-02-04 12:56:34 UTC

Customer tried wait for 5 minutes after login and then pulled the card. Still the same behaviour

Comment 6 Ray Strode [halfline] 2016-02-04 15:17:51 UTC

do you have the log from the attempt after waiting 5 minutes ?

Can you have them run 


$ gdbus call --session --dest org.freedesktop.DBus --object-path /org/freedesktop/DBus --method org.freedesktop.DBus.ListNames

and post the output ?

Comment 11 Ray Strode [halfline] 2016-02-19 19:45:50 UTC

thanks, can you get the reporter to install debuginfo packages and run gstack a few times in a row on the worker process that's using a 100% cpu ?

Also the output of ls -l /proc/WORKERPID/fd

As pointed out in comment 9, the main thing shown in the strace is select returning over and over again with fd 17 readable.  the select call has a 200ms timeout, but it returns immediately because the readable fd is never read from I guess.  It's probably a driver bug, but getting the gstack backtraces would be useful to confirm. Of course if the session got started at all, the smartcard driver code couldn't be getting dispatched anymore, so this is a little mysterious.

Comment 12 Ashish Shah 2016-03-01 14:53:00 UTC

Created attachment 1131961 [details]
gstack and procfd

Comment 15 Ray Strode [halfline] 2016-03-24 19:47:07 UTC

all 5 traces show it sitting in poll, so i guess it's not dispatching from poll for very long each time it wakes up.  We do see libeTPkcs11 has a couple of dedicated threads it's using.  Those threads should have been long destroyed when the pam module finished authentication (pam_pkcs11 calls SECMOD_UnloadUserModule / SECMOD_DestroyModule which should lead to the pkcs11 C_Finalize() call getting called.  The driver should clean up any threads then). This really looks like a driver problem, and the driver is closed source, so we can't really investigate much beyond that.

Our "supported" smart card configuration are coolkey supported cards. I don't think there's much we can do here but ask the customer to reach out to their smartcard vendor.

Note You need to log in before you can comment on or make changes to this bug.