Bug 1371631 - login using gdm calls for gdm-smartcard when smartcard authentication is not enabled
Summary: login using gdm calls for gdm-smartcard when smartcard authentication is not ...
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.3
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Sumit Bose
QA Contact: Steeve Goveas
Depends On:
TreeView+ depends on / blocked
Reported: 2016-08-30 16:31 UTC by Roshni
Modified: 2020-05-02 18:28 UTC (History)
13 users (show)

Fixed In Version: sssd-1.14.0-42.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2016-11-04 07:20:57 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Github SSSD sssd issues 4198 None closed login using gdm calls for gdm-smartcard when smartcard authentication is not enabled 2020-08-21 17:07:19 UTC
Red Hat Product Errata RHEA-2016:2476 normal SHIPPED_LIVE sssd bug fix and enhancement update 2016-11-03 14:08:11 UTC

Description Roshni 2016-08-30 16:31:37 UTC
Description of problem:
gdm calls for gdm-smartcard when smartcard authentication is not enabled

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Install ipa-client and enable smartcard login using sssd by making the following change in sssd.conf

pam_cert_auth = True

2. Trust the signing certs associated with the smartcard under /etc/pki/nssdb

3. Login using smartcard

4. Screen locks due to inactivity

5. login attempt prompts for pin

Actual results:
Auth fails

Expected results:
Auth should be successful

Additional info:

Seeing the following in /var/log/secure

Aug 30 11:48:00 dhcp129-53 gdm-smartcard]: pam_pkcs11(gdm-smartcard:auth): no valid certificate which meets all requirements found

/etc/dconf/db/distro.d/10-authconfig says enable-smartcard-authentication=false

Comment 1 Ray Strode [halfline] 2016-08-30 16:46:46 UTC
How did you log in using smartcard if enable-smartcard-authentication=false ?

I think you must be missing steps in comment 0?

Comment 5 Sumit Bose 2016-08-31 11:45:25 UTC
I might have an idea what is going on. For 7.3 I added a patch which set PKCS11_LOGIN_TOKEN_NAME when Smartcard authentication is used.

Ray, is it possible that the screen-saver will use gdm-smartcard whenever this environment variable is set without checking other options like the enable-smartcard-authentication dconf setting?

I'll prepare a test build which sets the variable only if SSSD was called from gdm-smartcard so that when gdm-password was used for the initial authentication, even with a Smartcard, the desktop components are not confused by the variable.

Comment 11 Jakub Hrozek 2016-08-31 15:31:29 UTC
Upstream ticket:

Comment 16 Jakub Hrozek 2016-09-16 13:18:53 UTC
 * 35ba922bc51416f02877b53a6f25c04104ae5f03
 * 3649b959709f1ab187092f054d4aace0798c98fa
 * 71cd9f98150577224559bdc12c53c01ce6f2c3d9

Comment 18 Roshni 2016-09-18 16:59:33 UTC
[root@dhcp129-34 ~]# rpm -qi sssd
Name        : sssd
Version     : 1.14.0
Release     : 42.el7
Architecture: x86_64
Install Date: Sun 18 Sep 2016 12:54:23 PM EDT
Group       : Applications/System
Size        : 35147
License     : GPLv3+
Signature   : (none)
Source RPM  : sssd-1.14.0-42.el7.src.rpm
Build Date  : Fri 16 Sep 2016 09:48:09 AM EDT
Build Host  : x86-039.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://fedorahosted.org/sssd/
Summary     : System Security Services Daemon

Executed the steps in the bug description, authentication was successful while unlocking the screen.

Comment 19 Lukas Slebodnik 2016-09-19 11:17:42 UTC
* a8631161c47cbaefe7fd14b88202238bbdcc3dc8

Comment 21 errata-xmlrpc 2016-11-04 07:20:57 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.