Bug 1441374 - gdm prompts for user password when smartcard login is configured and smartcard is inserted
Summary: gdm prompts for user password when smartcard login is configured and smartcar...
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: authconfig
Version: 7.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Pavel Březina
QA Contact: Roshni
URL:
Whiteboard:
Keywords: Regression, TestBlocker
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-04-11 20:09 UTC by Roshni
Modified: 2017-08-01 07:27 UTC (History)
7 users (show)

(edit)
undefined
Clone Of:
(edit)
Last Closed: 2017-08-01 07:27:56 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:2285 normal SHIPPED_LIVE Moderate: authconfig security, bug fix, and enhancement update 2017-08-01 11:26:21 UTC

Description Roshni 2017-04-11 20:09:41 UTC
Description of problem:
gdm prompts for user password when smartcard login is configured and smartcard is inserted

Version-Release number of selected component (if applicable):
gnome-shell-3.22.3-8.el7.x86_64
gdm-3.22.3-8.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. Configure smartcard login in auth-config
2. Logout or restart
3.

Actual results:
user password is prompted on gdm and the smartcard pin

Expected results:
smartcard pin should be prompted on gdm

Additional info:

Comment 3 Ray Strode [halfline] 2017-04-19 18:00:30 UTC
can you post your /etc/sysconfig/authconfig /etc/pam.d/system-auth /etc/pam.d/password-auth /etc/pam.d/smartcard-auth files and the output of

grep . /etc/dconf/db -R

?

Comment 4 Ray Strode [halfline] 2017-04-19 18:01:00 UTC
do logging in from a tty work with smartcard?

Comment 5 Roshni 2017-04-19 18:33:13 UTC
rpattath@dhcp129-77 ~]$ cat /etc/sysconfig/authconfig 
CACHECREDENTIALS=yes
FAILLOCKARGS="deny=4 unlock_time=1200"
FORCELEGACY=no
FORCESMARTCARD=no
IPADOMAINJOINED=no
IPAV2NONTP=no
PASSWDALGORITHM=sha512
USEDB=no
USEECRYPTFS=no
USEFAILLOCK=no
USEFPRINTD=no
USEHESIOD=no
USEIPAV2=no
USEKERBEROS=no
USELDAP=no
USELDAPAUTH=no
USELOCAUTHORIZE=yes
USEMKHOMEDIR=no
USENIS=no
USEPAMACCESS=no
USEPASSWDQC=no
USEPWQUALITY=yes
USESHADOW=yes
USESMARTCARD=yes
USESSSD=yes
USESSSDAUTH=no
USESYSNETAUTH=no
USEWINBIND=no
USEWINBINDAUTH=no
WINBINDKRB5=no
[rpattath@dhcp129-77 ~]$ cat /etc/pam.d/smartcard-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_sss.so allow_missing_name
auth        [success=done ignore=ignore default=die] pam_pkcs11.so nodebug wait_for_card
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     required      pam_permit.so

password    required      pam_pkcs11.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
[rpattath@dhcp129-77 ~]$ cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        [success=1 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid
auth        [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_pkcs11.so nodebug
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
[rpattath@dhcp129-77 ~]$ cat /etc/pam.d/password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok


password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
[rpattath@dhcp129-77 ~]$ grep . /etc/dconf/db -R
/etc/dconf/db/distro.d/locks/10-authconfig-locks:/org/gnome/login-screen/enable-fingerprint-authentication
/etc/dconf/db/distro.d/10-authconfig:# Generated by authconfig on 2017/04/19 11:36:03
/etc/dconf/db/distro.d/10-authconfig:[org/gnome/login-screen]
/etc/dconf/db/distro.d/10-authconfig:enable-fingerprint-authentication=false
Binary file /etc/dconf/db/site matches
Binary file /etc/dconf/db/local matches
Binary file /etc/dconf/db/distro matches
/etc/dconf/db/ibus.d/00-upstream-settings:# This file is a part of the IBus packaging and should not be changed.
/etc/dconf/db/ibus.d/00-upstream-settings:#
/etc/dconf/db/ibus.d/00-upstream-settings:# Instead create your own file next to it with a higher numbered prefix,
/etc/dconf/db/ibus.d/00-upstream-settings:# and run
/etc/dconf/db/ibus.d/00-upstream-settings:#
/etc/dconf/db/ibus.d/00-upstream-settings:#       dconf update
/etc/dconf/db/ibus.d/00-upstream-settings:#
/etc/dconf/db/ibus.d/00-upstream-settings:[desktop/ibus/general]
/etc/dconf/db/ibus.d/00-upstream-settings:dconf-preserve-name-prefixes=['/desktop/ibus/engine/pinyin', '/desktop/ibus/engine/bopomofo', '/desktop/ibus/engine/hangul']
/etc/dconf/db/ibus.d/00-upstream-settings:preload-engines-inited=false
/etc/dconf/db/ibus.d/00-upstream-settings:use-system-keyboard-layout=false
/etc/dconf/db/ibus.d/00-upstream-settings:embed-preedit-text=true
/etc/dconf/db/ibus.d/00-upstream-settings:enable-by-default=false
/etc/dconf/db/ibus.d/00-upstream-settings:use-global-engine=true
/etc/dconf/db/ibus.d/00-upstream-settings:preload-engine-mode=0
/etc/dconf/db/ibus.d/00-upstream-settings:use-xmodmap=true
/etc/dconf/db/ibus.d/00-upstream-settings:switcher-delay-time=400
/etc/dconf/db/ibus.d/00-upstream-settings:version=''
/etc/dconf/db/ibus.d/00-upstream-settings:load-xkb-layouts=['us', 'us(chr)', 'us(dvorak)', 'ad', 'al', 'am', 'ara', 'az', 'ba', 'bd', 'be', 'bg', 'br', 'bt', 'by', 'de', 'dk', 'ca', 'ch', 'cn(tib)', 'cz', 'ee', 'epo', 'es', 'et', 'fi', 'fo', 'fr', 'gb', 'ge', 'ge(dsb)', 'ge(ru)', 'ge(os)', 'gh', 'gh(akan)', 'gh(ewe)', 'gh(fula)', 'gh(ga)', 'gh(hausa)', 'gn', 'gr', 'hu', 'hr', 'ie', 'ie(CloGaelach)', 'il', 'in', 'in(tel)', 'in(bolnagri)', 'iq', 'iq(ku)', 'ir', 'ir(ku)', 'is', 'it', 'jp', 'kg', 'kh', 'kz', 'la', 'latam', 'lk', 'lk(tam_unicode)', 'lt', 'lv', 'ma', 'ma(tifinagh)', 'mal', 'mao', 'me', 'mk', 'mm', 'mt', 'mv', 'ng', 'ng(hausa)', 'ng', 'ng(igbo)', 'ng(yoruba)', 'nl', 'no', 'no(smi)', 'np', 'pk', 'pl', 'pl(csb)', 'pt', 'ro', 'rs', 'ru', 'ru(cv)', 'ru(kom)', 'ru(sah)', 'ru(tt)', 'ru(xal)', 'se', 'si', 'sk', 'sy', 'sy(ku)', 'th', 'tj', 'tr', 'ua', 'uz', 'vn']
/etc/dconf/db/ibus.d/00-upstream-settings:engines-order=@as []
/etc/dconf/db/ibus.d/00-upstream-settings:preload-engines=@as []
/etc/dconf/db/ibus.d/00-upstream-settings:xkb-latin-layouts=['ara', 'bg', 'cz', 'dev', 'gr', 'gur', 'in', 'jp(kana)', 'mal', 'mkd', 'ru', 'ua']
/etc/dconf/db/ibus.d/00-upstream-settings:[desktop/ibus/general/xkblayoutconfig]
/etc/dconf/db/ibus.d/00-upstream-settings:east-asia=['dz', 'km', 'lo', 'my', 'th', 'vi']
/etc/dconf/db/ibus.d/00-upstream-settings:center-asia=['bo', 'zh']
/etc/dconf/db/ibus.d/00-upstream-settings:north-europe=['da', 'fi', 'fo', 'is', 'no', 'se', 'sv']
/etc/dconf/db/ibus.d/00-upstream-settings:west-europe=['ca', 'cs', 'de', 'en', 'es', 'fr', 'gd', 'hu', 'it', 'nl', 'pt', 'sk', 'sl']
/etc/dconf/db/ibus.d/00-upstream-settings:group-list=['west_europe', 'south_europe', 'east_europe', 'north_europe', 'west_asia', 'center_asia', 'east_asia', 'india', 'australia']
/etc/dconf/db/ibus.d/00-upstream-settings:south-europe=['bg', 'bs', 'el', 'mk', 'mt', 'ro', 'sq', 'sr']
/etc/dconf/db/ibus.d/00-upstream-settings:west-asia=['am', 'ar', 'az', 'ber', 'fa', 'ha', 'he', 'hy', 'ig', 'ku', 'tg', 'tr', 'yo']
/etc/dconf/db/ibus.d/00-upstream-settings:india=['bn', 'dv', 'gu', 'hi', 'kn', 'ml', 'ne', 'or', 'pa', 'si', 'ta', 'te', 'ur']
/etc/dconf/db/ibus.d/00-upstream-settings:east-europe=['be', 'csb', 'cv', 'et', 'ka', 'kk', 'ky', 'lt', 'lv', 'pl', 'ru', 'tt', 'uk', 'uz']
/etc/dconf/db/ibus.d/00-upstream-settings:australia=['mi']
/etc/dconf/db/ibus.d/00-upstream-settings:[desktop/ibus/general/hotkey]
/etc/dconf/db/ibus.d/00-upstream-settings:next-engine=['Alt+Shift_L']
/etc/dconf/db/ibus.d/00-upstream-settings:disable-unconditional=@as []
/etc/dconf/db/ibus.d/00-upstream-settings:enable-unconditional=@as []
/etc/dconf/db/ibus.d/00-upstream-settings:triggers-no-modifiers=@as []
/etc/dconf/db/ibus.d/00-upstream-settings:trigger=['Control+space', 'Zenkaku_Hankaku', 'Alt+Kanji', 'Alt+grave', 'Hangul', 'Alt+Release+Alt_R']
/etc/dconf/db/ibus.d/00-upstream-settings:previous-engine=@as []
/etc/dconf/db/ibus.d/00-upstream-settings:prev-engine=@as []
/etc/dconf/db/ibus.d/00-upstream-settings:next-engine-in-menu=['Alt+Shift_L']
/etc/dconf/db/ibus.d/00-upstream-settings:triggers=['<Super>space']
/etc/dconf/db/ibus.d/00-upstream-settings:[desktop/ibus/panel]
/etc/dconf/db/ibus.d/00-upstream-settings:x=-1
/etc/dconf/db/ibus.d/00-upstream-settings:y=-1
/etc/dconf/db/ibus.d/00-upstream-settings:lookup-table-orientation=1
/etc/dconf/db/ibus.d/00-upstream-settings:show=0
/etc/dconf/db/ibus.d/00-upstream-settings:show-im-name=false
/etc/dconf/db/ibus.d/00-upstream-settings:custom-font='Sans 10'
/etc/dconf/db/ibus.d/00-upstream-settings:show-icon-on-systray=true
/etc/dconf/db/ibus.d/00-upstream-settings:use-custom-font=false
Binary file /etc/dconf/db/gdm matches
Binary file /etc/dconf/db/ibus matches

I am able login using smartcard using tty. Using gdm it prompts for password first and then prompts for smartcard pin.

Comment 6 Ray Strode [halfline] 2017-04-19 18:49:30 UTC
so your smartcard-auth file has:

auth        sufficient    pam_sss.so allow_missing_name

in it, which is what's asking for password. So this is either an sssd configuration problem or an authconfig bug.

CC'ing sumit, since he probably has a better idea, but tentatively assigning to authconfig.

Comment 7 Sumit Bose 2017-04-24 07:50:44 UTC
I'll try to reproduce

Roshni, with which options did you call authconfig?

bye,
Sumit

Comment 8 Roshni 2017-04-24 13:04:41 UTC
Sumit,

I used authconfig UI (authconfig-gtk) to make the change, the only change I made is enabling Smartcard login.

Comment 9 Sumit Bose 2017-04-24 14:29:19 UTC
Thank you, I can reproduce the issue.

For some reason there is a 'True' in /usr/share/authconfig/authinfo.py in line 755, but it should be 'False'. You might want to try to just edit the files directly and replace the 'True' by 'False'.

Pavel, do you remember where you picked the patch added to the RHEL build because it looks both the patch attached to https://bugzilla.redhat.com/show_bug.cgi?id=1378943 and the upstream PR https://pagure.io/authconfig/pull-request/5 say 'False'? Can you also compare the patch added to the RHEL with the one reviewed by Tomas in the PR to see if there are other differences?

Comment 10 Pavel Březina 2017-04-25 10:08:33 UTC
Thanks. I made a mistake when resolving conflicts for rhel version. I will fix it.

Comment 15 Roshni 2017-04-28 15:22:06 UTC
Using authconfig-6.2.8-23.el7.x86_64 I still see the issue. I am not using sssd but coolkey/opensc and pam_pkcs11

[root@dhcp129-77 ~]# cat /etc/pam.d/smartcard-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_sss.so allow_missing_name
auth        [success=done ignore=ignore default=die] pam_pkcs11.so nodebug wait_for_card
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     required      pam_permit.so

password    required      pam_pkcs11.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
[root@dhcp129-77 ~]# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        [success=1 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid
auth        [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_pkcs11.so nodebug
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
[root@dhcp129-77 ~]# cat /etc/pam.d/password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok


password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
[root@dhcp129-77 ~]# cat /etc/sysconfig/authconfig 
CACHECREDENTIALS=yes
FAILLOCKARGS="deny=4 unlock_time=1200"
FORCELEGACY=no
FORCESMARTCARD=no
IPADOMAINJOINED=no
IPAV2NONTP=no
PASSWDALGORITHM=sha512
USEDB=no
USEECRYPTFS=no
USEFAILLOCK=no
USEFPRINTD=no
USEHESIOD=no
USEIPAV2=no
USEKERBEROS=no
USELDAP=no
USELDAPAUTH=no
USELOCAUTHORIZE=yes
USEMKHOMEDIR=no
USENIS=no
USEPAMACCESS=no
USEPASSWDQC=no
USEPWQUALITY=yes
USESHADOW=yes
USESMARTCARD=yes
USESSSD=yes
USESSSDAUTH=no
USESYSNETAUTH=no
USEWINBIND=no
USEWINBINDAUTH=no
WINBINDKRB5=no
[root@dhcp129-77 ~]# grep . /etc/dconf/db -R
/etc/dconf/db/distro.d/locks/10-authconfig-locks:/org/gnome/login-screen/enable-fingerprint-authentication
/etc/dconf/db/distro.d/10-authconfig:# Generated by authconfig on 2017/04/19 11:36:03
/etc/dconf/db/distro.d/10-authconfig:[org/gnome/login-screen]
/etc/dconf/db/distro.d/10-authconfig:enable-fingerprint-authentication=false
Binary file /etc/dconf/db/site matches
Binary file /etc/dconf/db/local matches
Binary file /etc/dconf/db/distro matches
/etc/dconf/db/ibus.d/00-upstream-settings:# This file is a part of the IBus packaging and should not be changed.
/etc/dconf/db/ibus.d/00-upstream-settings:#
/etc/dconf/db/ibus.d/00-upstream-settings:# Instead create your own file next to it with a higher numbered prefix,
/etc/dconf/db/ibus.d/00-upstream-settings:# and run
/etc/dconf/db/ibus.d/00-upstream-settings:#
/etc/dconf/db/ibus.d/00-upstream-settings:#       dconf update
/etc/dconf/db/ibus.d/00-upstream-settings:#
/etc/dconf/db/ibus.d/00-upstream-settings:[desktop/ibus/general]
/etc/dconf/db/ibus.d/00-upstream-settings:dconf-preserve-name-prefixes=['/desktop/ibus/engine/pinyin', '/desktop/ibus/engine/bopomofo', '/desktop/ibus/engine/hangul']
/etc/dconf/db/ibus.d/00-upstream-settings:preload-engines-inited=false
/etc/dconf/db/ibus.d/00-upstream-settings:use-system-keyboard-layout=false
/etc/dconf/db/ibus.d/00-upstream-settings:embed-preedit-text=true
/etc/dconf/db/ibus.d/00-upstream-settings:enable-by-default=false
/etc/dconf/db/ibus.d/00-upstream-settings:use-global-engine=true
/etc/dconf/db/ibus.d/00-upstream-settings:preload-engine-mode=0
/etc/dconf/db/ibus.d/00-upstream-settings:use-xmodmap=true
/etc/dconf/db/ibus.d/00-upstream-settings:switcher-delay-time=400
/etc/dconf/db/ibus.d/00-upstream-settings:version=''
/etc/dconf/db/ibus.d/00-upstream-settings:load-xkb-layouts=['us', 'us(chr)', 'us(dvorak)', 'ad', 'al', 'am', 'ara', 'az', 'ba', 'bd', 'be', 'bg', 'br', 'bt', 'by', 'de', 'dk', 'ca', 'ch', 'cn(tib)', 'cz', 'ee', 'epo', 'es', 'et', 'fi', 'fo', 'fr', 'gb', 'ge', 'ge(dsb)', 'ge(ru)', 'ge(os)', 'gh', 'gh(akan)', 'gh(ewe)', 'gh(fula)', 'gh(ga)', 'gh(hausa)', 'gn', 'gr', 'hu', 'hr', 'ie', 'ie(CloGaelach)', 'il', 'in', 'in(tel)', 'in(bolnagri)', 'iq', 'iq(ku)', 'ir', 'ir(ku)', 'is', 'it', 'jp', 'kg', 'kh', 'kz', 'la', 'latam', 'lk', 'lk(tam_unicode)', 'lt', 'lv', 'ma', 'ma(tifinagh)', 'mal', 'mao', 'me', 'mk', 'mm', 'mt', 'mv', 'ng', 'ng(hausa)', 'ng', 'ng(igbo)', 'ng(yoruba)', 'nl', 'no', 'no(smi)', 'np', 'pk', 'pl', 'pl(csb)', 'pt', 'ro', 'rs', 'ru', 'ru(cv)', 'ru(kom)', 'ru(sah)', 'ru(tt)', 'ru(xal)', 'se', 'si', 'sk', 'sy', 'sy(ku)', 'th', 'tj', 'tr', 'ua', 'uz', 'vn']
/etc/dconf/db/ibus.d/00-upstream-settings:engines-order=@as []
/etc/dconf/db/ibus.d/00-upstream-settings:preload-engines=@as []
/etc/dconf/db/ibus.d/00-upstream-settings:xkb-latin-layouts=['ara', 'bg', 'cz', 'dev', 'gr', 'gur', 'in', 'jp(kana)', 'mal', 'mkd', 'ru', 'ua']
/etc/dconf/db/ibus.d/00-upstream-settings:[desktop/ibus/general/xkblayoutconfig]
/etc/dconf/db/ibus.d/00-upstream-settings:east-asia=['dz', 'km', 'lo', 'my', 'th', 'vi']
/etc/dconf/db/ibus.d/00-upstream-settings:center-asia=['bo', 'zh']
/etc/dconf/db/ibus.d/00-upstream-settings:north-europe=['da', 'fi', 'fo', 'is', 'no', 'se', 'sv']
/etc/dconf/db/ibus.d/00-upstream-settings:west-europe=['ca', 'cs', 'de', 'en', 'es', 'fr', 'gd', 'hu', 'it', 'nl', 'pt', 'sk', 'sl']
/etc/dconf/db/ibus.d/00-upstream-settings:group-list=['west_europe', 'south_europe', 'east_europe', 'north_europe', 'west_asia', 'center_asia', 'east_asia', 'india', 'australia']
/etc/dconf/db/ibus.d/00-upstream-settings:south-europe=['bg', 'bs', 'el', 'mk', 'mt', 'ro', 'sq', 'sr']
/etc/dconf/db/ibus.d/00-upstream-settings:west-asia=['am', 'ar', 'az', 'ber', 'fa', 'ha', 'he', 'hy', 'ig', 'ku', 'tg', 'tr', 'yo']
/etc/dconf/db/ibus.d/00-upstream-settings:india=['bn', 'dv', 'gu', 'hi', 'kn', 'ml', 'ne', 'or', 'pa', 'si', 'ta', 'te', 'ur']
/etc/dconf/db/ibus.d/00-upstream-settings:east-europe=['be', 'csb', 'cv', 'et', 'ka', 'kk', 'ky', 'lt', 'lv', 'pl', 'ru', 'tt', 'uk', 'uz']
/etc/dconf/db/ibus.d/00-upstream-settings:australia=['mi']
/etc/dconf/db/ibus.d/00-upstream-settings:[desktop/ibus/general/hotkey]
/etc/dconf/db/ibus.d/00-upstream-settings:next-engine=['Alt+Shift_L']
/etc/dconf/db/ibus.d/00-upstream-settings:disable-unconditional=@as []
/etc/dconf/db/ibus.d/00-upstream-settings:enable-unconditional=@as []
/etc/dconf/db/ibus.d/00-upstream-settings:triggers-no-modifiers=@as []
/etc/dconf/db/ibus.d/00-upstream-settings:trigger=['Control+space', 'Zenkaku_Hankaku', 'Alt+Kanji', 'Alt+grave', 'Hangul', 'Alt+Release+Alt_R']
/etc/dconf/db/ibus.d/00-upstream-settings:previous-engine=@as []
/etc/dconf/db/ibus.d/00-upstream-settings:prev-engine=@as []
/etc/dconf/db/ibus.d/00-upstream-settings:next-engine-in-menu=['Alt+Shift_L']
/etc/dconf/db/ibus.d/00-upstream-settings:triggers=['<Super>space']
/etc/dconf/db/ibus.d/00-upstream-settings:[desktop/ibus/panel]
/etc/dconf/db/ibus.d/00-upstream-settings:x=-1
/etc/dconf/db/ibus.d/00-upstream-settings:y=-1
/etc/dconf/db/ibus.d/00-upstream-settings:lookup-table-orientation=1
/etc/dconf/db/ibus.d/00-upstream-settings:show=0
/etc/dconf/db/ibus.d/00-upstream-settings:show-im-name=false
/etc/dconf/db/ibus.d/00-upstream-settings:custom-font='Sans 10'
/etc/dconf/db/ibus.d/00-upstream-settings:show-icon-on-systray=true
/etc/dconf/db/ibus.d/00-upstream-settings:use-custom-font=false
Binary file /etc/dconf/db/gdm matches
Binary file /etc/dconf/db/ibus matches


[root@dhcp129-77 ~]# cat /etc/pam_pkcs11/pam_pkcs11.conf
#
# Configuration file for pam_pkcs11 module
#
# Version 0.4
# Author: Juan Antonio Martinez <jonsito@teleline.es>
#
pam_pkcs11 {
  # Allow empty passwords
  nullok = true;

  # Enable debugging support.
  debug = false; 

  # If the smart card is inserted, only use it
  card_only = true;

  # Do not prompt the user for the passwords but take them from the
  # PAM_ items instead.
  use_first_pass = false;

  # Do not prompt the user for the passwords unless PAM_(OLD)AUTHTOK
  # is unset.
  try_first_pass = false;

  # Like try_first_pass, but fail if the new PAM_AUTHTOK has not been
  # previously set (intended for stacking password modules only).
  use_authtok = false;

  # Filename of the PKCS #11 module. The default value is "default"
  use_pkcs11_module = coolkey;

  screen_savers = gnome-screensaver,xscreensaver,kscreensaver

  pkcs11_module coolkey {
    module = libcoolkeypk11.so;
    description = "Cool Key"
    # Slot-number to use. One for the first, two for the second and so
    # on. The default value is zero which means to use the first slot
    # with an available token.
    slot_num = 0;

    # Path to the directory where the NSS CA certificate database is stored.
    # you can mange the certs in this database with the certutil command in
    # the package nss-tools
    nss_dir = /etc/pki/nssdb;

    # Sets the Certificate verification policy.
    # "none"        Performs no verification
    # "ca"          Does CA check
    # "crl_online"  Downloads the CRL form the location given by the
    #               CRL distribution point extension of the certificate
    # "crl_offline" Uses the locally stored CRLs
    # "crl_auto"    Is a combination of online and offline; it first
    #               tries to download the CRL from a possibly given CRL
    #               distribution point and if this fails, uses the local
    #               CRLs
    # "ocsp_on"     Turn on OCSP.
    # "signature"   Does also a signature check to ensure that private
    #               and public key matches
    # You can use a combination of ca,crl, and signature flags, or just
    # use "none".
    cert_policy = ca, signature;
  }

  pkcs11_module opensc {
    module = opensc-pkcs11.so;
    description = "OpenSC PKCS#11 module";
    # Slot-number to use. One for the first, two for the second and so
    # on. The default value is zero which means to use the first slot
    # with an available token.
    slot_num = 0;
    nss_dir = /etc/pki/nssdb

    # Path to the directory where the CA certificates are stored. The
    # directory must contain an openssl hash-link to each certificate.
    # The default value is /etc/pam_pkcs11/cacerts.
    ca_dir = /etc/pam_pkcs11/cacerts;
  
    # Path to the directory where the CRLs are stored. The directory
    # must contain an openssl hash-link to each CRL. The default value
    # is /etc/pam_pkcs11/crls.
    crl_dir = /etc/pam_pkcs11/crls;
  
    # Sets the Certificate Policy, (see above)
    cert_policy = ca, signature;
  }

  # Default pkcs11 module
  pkcs11_module default {
    module = /usr/$LIB/pam_pkcs11/pkcs11_module.so;
    description = "Default pkcs#11 module";
    slot_num = 0;
    ca_dir = /etc/pam_pkcs11/cacerts;
    crl_dir = /etc/pam_pkcs11/crls;
    cert_policy = ca, signature;
  }

  # Which mappers ( Cert to login ) to use?
  # you can use several mappers:
  #
  # subject - Cert Subject to login file based mapper
  # pwent   - CN to getpwent() login or gecos fields mapper
  # ldap    - LDAP mapper
  # opensc  - Search certificate in ${HOME}/.eid/authorized_certificates
  # openssh - Search certificate public key in ${HOME}/.ssh/authorized_keys
  # mail    - Compare email fields from certificate
  # ms      - Use Microsoft Universal Principal Name extension
  # krb     - Compare againts Kerberos Principal Name
  # cn      - Compare Common Name (CN)
  # uid     - Compare Unique Identifier
  # digest  - Certificate digest to login (mapfile based) mapper
  # generic - User defined certificate contents mapped
  # null    - blind access/deny mapper
  #
  # You can select a comma-separated mapper list.
  # If used null mapper should be the last in the list :-)
  # Also you should select at least one mapper, otherwise
  # certificate will not match :-)
  use_mappers = cn, uid, pwent, null;

  # When no absolute path or module info is provided, use this
  # value as module search path
  # TODO:
  # This is not still functional: use absolute pathnames or LD_LIBRARY_PATH 
  mapper_search_path = /usr/$LIB/pam_pkcs11;

  # 
  # Generic certificate contents mapper
  mapper generic {
        debug = true;
        module = /usr/$LIB/pam_pkcs11/generic_mapper.so;
        # ignore letter case on match/compare
        ignorecase = false;
        # Use one of "cn" , "subject" , "kpn" , "email" , "upn" or "uid"
        cert_item  = cn;
        # Define mapfile if needed, else select "none"
        mapfile = file:///etc/pam_pkcs11/generic_mapping
        # Decide if use getpwent() to map login
        use_getpwent = false;
  }

  # Certificate Subject to login based mapper
  # provided file stores one or more "Subject -> login" lines
  mapper subject {
	debug = false;
	# module = /usr/$LIB/pam_pkcs11/subject_mapper.so;
	module = internal;
	ignorecase = false;
	mapfile = file:///etc/pam_pkcs11/subject_mapping;
  }

  # Search public keys from $HOME/.ssh/authorized_keys to match users
  mapper openssh {
	debug = false;
	module = /usr/$LIB/pam_pkcs11/openssh_mapper.so;
  }

  # Search certificates from $HOME/.eid/authorized_certificates to match users
  mapper opensc {
	debug = false;
	module = /usr/$LIB/pam_pkcs11/opensc_mapper.so;
  }

  # Certificate Common Name ( CN ) to getpwent() mapper
  mapper pwent {
	debug = false;
	ignorecase = false;
	module = internal;
	# module = /usr/$LIB/pam_pkcs11/pwent_mapper.so;
  }

  # Null ( no map ) mapper. when user as finder matchs to NULL or "nobody"
  mapper null {
	debug = false;
	# module = /usr/$LIB/pam_pkcs11/null_mapper.so;
	module = internal ;
	# select behavior: always match, or always fail
	default_match = false;
	# on match, select returned user
        default_user = nobody ;
  }

  # Directory ( ldap style ) mapper
  mapper ldap {
	debug = false;
	module = /usr/$LIB/pam_pkcs11/ldap_mapper.so;
	# where base directory resides
	basedir = /etc/pam_pkcs11/mapdir;
	# hostname of ldap server
        ldaphost = "localhost";
	# Port on ldap server to connect
        ldapport = 389;
        # Scope of search: 0 = x, 1 = y, 2 = z
        scope = 2;
	# DN to bind with. Must have read-access for user entries under "base"
        binddn = "cn=pam,o=example,c=com";
	# Password for above DN
        passwd = "test";
	# Searchbase for user entries
        base = "ou=People,o=example,c=com";
	# Attribute of user entry which contains the certificate
        attribute = "userCertificate";
	# Searchfilter for user entry. Must only let pass user entry for the login user.
        filter = "(&(objectClass=posixAccount)(uid=%s))"
  }

  # Assume common name (CN) to be the login
  mapper cn {
	debug = false;
	module = internal;
	# module = /usr/$LIB/pam_pkcs11/cn_mapper.so;
	ignorecase = true;
	mapfile = file:///etc/pam_pkcs11/cn_map;
  }

  # mail -  Compare email field from certificate
  mapper mail {
	debug = false;
	module = internal;
	# module = /usr/$LIB/pam_pkcs11/mail_mapper.so;
	# Declare mapfile or
	# leave empty "" or "none" to use no map 
	mapfile = file:///etc/pam_pkcs11/mail_mapping;
	# Some certs store email in uppercase. take care on this
	ignorecase = true;
	# Also check that host matches mx domain
	# when using mapfile this feature is ignored
	ignoredomain = false;
  }

  # ms - Use Microsoft Universal Principal Name extension
  # UPN is in format login@ADS_Domain. No map is needed, just
  # check domain name.
  mapper ms {
	debug = false;
	module = internal;
	# module = /usr/$LIB/pam_pkcs11/ms_mapper.so;
	ignorecase = false;
	ignoredomain = false;
	domain = "domain.com";
  }

  # krb  - Compare againts Kerberos Principal Name
  mapper krb {
	debug = false;
	module = internal;
	# module = /usr/$LIB/pam_pkcs11/krb_mapper.so;
	ignorecase = false;
	mapfile = "none";
  }

  # uid  - Maps Subject Unique Identifier field (if exist) to login
  mapper uid {
	debug = false;
	module = internal;
	# module = /usr/$LIB/pam_pkcs11/uid_mapper.so;
	ignorecase = false;
	mapfile = "none";
  }

  # digest - elaborate certificate digest and map it into a file
  mapper digest {
	debug = false;
	module = internal;
	# module = /usr/$LIB/pam_pkcs11/digest_mapper.so;
	# algorithm used to evaluate certificate digest
        # Select one of:
	# "null","md2","md4","md5","sha","sha1","dss","dss1","ripemd160"
	algorithm = "sha1";
	mapfile = file:///etc/pam_pkcs11/digest_mapping;
	# mapfile = "none";
  }

}

Comment 16 Pavel Březina 2017-05-02 08:57:58 UTC
Roshni, what authconfig options have you used?

Comment 17 Roshni 2017-05-02 13:13:42 UTC
Pavel,

I have pasted my authconfig info in comment 15

[root@dhcp129-77 ~]# cat /etc/sysconfig/authconfig 
CACHECREDENTIALS=yes
FAILLOCKARGS="deny=4 unlock_time=1200"
FORCELEGACY=no
FORCESMARTCARD=no
IPADOMAINJOINED=no
IPAV2NONTP=no
PASSWDALGORITHM=sha512
USEDB=no
USEECRYPTFS=no
USEFAILLOCK=no
USEFPRINTD=no
USEHESIOD=no
USEIPAV2=no
USEKERBEROS=no
USELDAP=no
USELDAPAUTH=no
USELOCAUTHORIZE=yes
USEMKHOMEDIR=no
USENIS=no
USEPAMACCESS=no
USEPASSWDQC=no
USEPWQUALITY=yes
USESHADOW=yes
USESMARTCARD=yes
USESSSD=yes
USESSSDAUTH=no
USESYSNETAUTH=no
USEWINBIND=no
USEWINBINDAUTH=no
WINBINDKRB5=no

Comment 18 Sumit Bose 2017-05-03 12:02:03 UTC
(In reply to Roshni from comment #15)
> Using authconfig-6.2.8-23.el7.x86_64 I still see the issue. I am not using
> sssd but coolkey/opensc and pam_pkcs11
> 
> [root@dhcp129-77 ~]# cat /etc/pam.d/smartcard-auth
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth        required      pam_env.so
> auth        sufficient    pam_sss.so allow_missing_name

I think here is the issue. pam_sss shouldn't be present here. But when trying to re-produce with

    authconfig-gtk-6.2.8-23.el7.x86_64
    authconfig-6.2.8-23.el7.x86_64

I cannot get into this state. I only get the pam_pkcs11 line which is the expected one here.

Can you re-test and give me access to the system if you still see pam_sss and pam_pkcs11 together?

bye,
Sumit


> auth        [success=done ignore=ignore default=die] pam_pkcs11.so nodebug
> wait_for_card
> auth        required      pam_deny.so
> 
> account     required      pam_unix.so
> account     sufficient    pam_localuser.so
> account     sufficient    pam_succeed_if.so uid < 1000 quiet
> account     required      pam_permit.so
> 
> password    required      pam_pkcs11.so
> 
> session     optional      pam_keyinit.so revoke
> session     required      pam_limits.so
> -session     optional      pam_systemd.so
> session     [success=1 default=ignore] pam_succeed_if.so service in crond
> quiet use_uid
> session     required      pam_unix.so

Comment 19 Roshni 2017-05-03 14:49:13 UTC
[root@dhcp129-77 ~]# rpm -qi authconfig
Name        : authconfig
Version     : 6.2.8
Release     : 23.el7
Architecture: x86_64
Install Date: Fri 28 Apr 2017 10:48:45 AM EDT
Group       : System Environment/Base
Size        : 2314510
License     : GPLv2+
Signature   : (none)
Source RPM  : authconfig-6.2.8-23.el7.src.rpm
Build Date  : Fri 28 Apr 2017 07:27:25 AM EDT
Build Host  : x86-030.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : https://fedorahosted.org/authconfig
Summary     : Command line tool for setting up authentication from network services

no prompt for password seen during gdm login. Everything works as expected.

Comment 20 Sumit Bose 2017-05-03 16:09:38 UTC
Just some short explanations.

authconfig-gtk does not update any files if there is no change in the configuration,  i.e. is behaves similar to 'authconfig --update', and there is no way to force re-writing the files like --updateall option of authconfig does.

While testing with the old authconfig version a broken /etc/pam-d/smartcard-auth was created. After updating authconfig-gtk was called and the 'Apply' button was pressed because the 'Smartcard authentication' box was already checked. As explained above no files was changed because the configuration didn't change. To fix the file either authconfig --updateall can be called from the command line or with authconfig-gtk 'Smartcard authentication' must be disable first and the re-enabled in a second step.

Comment 22 errata-xmlrpc 2017-08-01 07:27:56 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:2285


Note You need to log in before you can comment on or make changes to this bug.