Red Hat Bugzilla – Bug 1441374
gdm prompts for user password when smartcard login is configured and smartcard is inserted
Last modified: 2017-08-01 03:27:56 EDT
Description of problem: gdm prompts for user password when smartcard login is configured and smartcard is inserted Version-Release number of selected component (if applicable): gnome-shell-3.22.3-8.el7.x86_64 gdm-3.22.3-8.el7.x86_64 How reproducible: always Steps to Reproduce: 1. Configure smartcard login in auth-config 2. Logout or restart 3. Actual results: user password is prompted on gdm and the smartcard pin Expected results: smartcard pin should be prompted on gdm Additional info:
can you post your /etc/sysconfig/authconfig /etc/pam.d/system-auth /etc/pam.d/password-auth /etc/pam.d/smartcard-auth files and the output of grep . /etc/dconf/db -R ?
do logging in from a tty work with smartcard?
rpattath@dhcp129-77 ~]$ cat /etc/sysconfig/authconfig CACHECREDENTIALS=yes FAILLOCKARGS="deny=4 unlock_time=1200" FORCELEGACY=no FORCESMARTCARD=no IPADOMAINJOINED=no IPAV2NONTP=no PASSWDALGORITHM=sha512 USEDB=no USEECRYPTFS=no USEFAILLOCK=no USEFPRINTD=no USEHESIOD=no USEIPAV2=no USEKERBEROS=no USELDAP=no USELDAPAUTH=no USELOCAUTHORIZE=yes USEMKHOMEDIR=no USENIS=no USEPAMACCESS=no USEPASSWDQC=no USEPWQUALITY=yes USESHADOW=yes USESMARTCARD=yes USESSSD=yes USESSSDAUTH=no USESYSNETAUTH=no USEWINBIND=no USEWINBINDAUTH=no WINBINDKRB5=no [rpattath@dhcp129-77 ~]$ cat /etc/pam.d/smartcard-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_sss.so allow_missing_name auth [success=done ignore=ignore default=die] pam_pkcs11.so nodebug wait_for_card auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account required pam_permit.so password required pam_pkcs11.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so [rpattath@dhcp129-77 ~]$ cat /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth [success=1 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_pkcs11.so nodebug auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so [rpattath@dhcp129-77 ~]$ cat /etc/pam.d/password-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so [rpattath@dhcp129-77 ~]$ grep . /etc/dconf/db -R /etc/dconf/db/distro.d/locks/10-authconfig-locks:/org/gnome/login-screen/enable-fingerprint-authentication /etc/dconf/db/distro.d/10-authconfig:# Generated by authconfig on 2017/04/19 11:36:03 /etc/dconf/db/distro.d/10-authconfig:[org/gnome/login-screen] /etc/dconf/db/distro.d/10-authconfig:enable-fingerprint-authentication=false Binary file /etc/dconf/db/site matches Binary file /etc/dconf/db/local matches Binary file /etc/dconf/db/distro matches /etc/dconf/db/ibus.d/00-upstream-settings:# This file is a part of the IBus packaging and should not be changed. /etc/dconf/db/ibus.d/00-upstream-settings:# /etc/dconf/db/ibus.d/00-upstream-settings:# Instead create your own file next to it with a higher numbered prefix, /etc/dconf/db/ibus.d/00-upstream-settings:# and run /etc/dconf/db/ibus.d/00-upstream-settings:# /etc/dconf/db/ibus.d/00-upstream-settings:# dconf update /etc/dconf/db/ibus.d/00-upstream-settings:# /etc/dconf/db/ibus.d/00-upstream-settings:[desktop/ibus/general] /etc/dconf/db/ibus.d/00-upstream-settings:dconf-preserve-name-prefixes=['/desktop/ibus/engine/pinyin', '/desktop/ibus/engine/bopomofo', '/desktop/ibus/engine/hangul'] /etc/dconf/db/ibus.d/00-upstream-settings:preload-engines-inited=false /etc/dconf/db/ibus.d/00-upstream-settings:use-system-keyboard-layout=false /etc/dconf/db/ibus.d/00-upstream-settings:embed-preedit-text=true /etc/dconf/db/ibus.d/00-upstream-settings:enable-by-default=false /etc/dconf/db/ibus.d/00-upstream-settings:use-global-engine=true /etc/dconf/db/ibus.d/00-upstream-settings:preload-engine-mode=0 /etc/dconf/db/ibus.d/00-upstream-settings:use-xmodmap=true /etc/dconf/db/ibus.d/00-upstream-settings:switcher-delay-time=400 /etc/dconf/db/ibus.d/00-upstream-settings:version='' /etc/dconf/db/ibus.d/00-upstream-settings:load-xkb-layouts=['us', 'us(chr)', 'us(dvorak)', 'ad', 'al', 'am', 'ara', 'az', 'ba', 'bd', 'be', 'bg', 'br', 'bt', 'by', 'de', 'dk', 'ca', 'ch', 'cn(tib)', 'cz', 'ee', 'epo', 'es', 'et', 'fi', 'fo', 'fr', 'gb', 'ge', 'ge(dsb)', 'ge(ru)', 'ge(os)', 'gh', 'gh(akan)', 'gh(ewe)', 'gh(fula)', 'gh(ga)', 'gh(hausa)', 'gn', 'gr', 'hu', 'hr', 'ie', 'ie(CloGaelach)', 'il', 'in', 'in(tel)', 'in(bolnagri)', 'iq', 'iq(ku)', 'ir', 'ir(ku)', 'is', 'it', 'jp', 'kg', 'kh', 'kz', 'la', 'latam', 'lk', 'lk(tam_unicode)', 'lt', 'lv', 'ma', 'ma(tifinagh)', 'mal', 'mao', 'me', 'mk', 'mm', 'mt', 'mv', 'ng', 'ng(hausa)', 'ng', 'ng(igbo)', 'ng(yoruba)', 'nl', 'no', 'no(smi)', 'np', 'pk', 'pl', 'pl(csb)', 'pt', 'ro', 'rs', 'ru', 'ru(cv)', 'ru(kom)', 'ru(sah)', 'ru(tt)', 'ru(xal)', 'se', 'si', 'sk', 'sy', 'sy(ku)', 'th', 'tj', 'tr', 'ua', 'uz', 'vn'] /etc/dconf/db/ibus.d/00-upstream-settings:engines-order=@as [] /etc/dconf/db/ibus.d/00-upstream-settings:preload-engines=@as [] /etc/dconf/db/ibus.d/00-upstream-settings:xkb-latin-layouts=['ara', 'bg', 'cz', 'dev', 'gr', 'gur', 'in', 'jp(kana)', 'mal', 'mkd', 'ru', 'ua'] /etc/dconf/db/ibus.d/00-upstream-settings:[desktop/ibus/general/xkblayoutconfig] /etc/dconf/db/ibus.d/00-upstream-settings:east-asia=['dz', 'km', 'lo', 'my', 'th', 'vi'] /etc/dconf/db/ibus.d/00-upstream-settings:center-asia=['bo', 'zh'] /etc/dconf/db/ibus.d/00-upstream-settings:north-europe=['da', 'fi', 'fo', 'is', 'no', 'se', 'sv'] /etc/dconf/db/ibus.d/00-upstream-settings:west-europe=['ca', 'cs', 'de', 'en', 'es', 'fr', 'gd', 'hu', 'it', 'nl', 'pt', 'sk', 'sl'] /etc/dconf/db/ibus.d/00-upstream-settings:group-list=['west_europe', 'south_europe', 'east_europe', 'north_europe', 'west_asia', 'center_asia', 'east_asia', 'india', 'australia'] /etc/dconf/db/ibus.d/00-upstream-settings:south-europe=['bg', 'bs', 'el', 'mk', 'mt', 'ro', 'sq', 'sr'] /etc/dconf/db/ibus.d/00-upstream-settings:west-asia=['am', 'ar', 'az', 'ber', 'fa', 'ha', 'he', 'hy', 'ig', 'ku', 'tg', 'tr', 'yo'] /etc/dconf/db/ibus.d/00-upstream-settings:india=['bn', 'dv', 'gu', 'hi', 'kn', 'ml', 'ne', 'or', 'pa', 'si', 'ta', 'te', 'ur'] /etc/dconf/db/ibus.d/00-upstream-settings:east-europe=['be', 'csb', 'cv', 'et', 'ka', 'kk', 'ky', 'lt', 'lv', 'pl', 'ru', 'tt', 'uk', 'uz'] /etc/dconf/db/ibus.d/00-upstream-settings:australia=['mi'] /etc/dconf/db/ibus.d/00-upstream-settings:[desktop/ibus/general/hotkey] /etc/dconf/db/ibus.d/00-upstream-settings:next-engine=['Alt+Shift_L'] /etc/dconf/db/ibus.d/00-upstream-settings:disable-unconditional=@as [] /etc/dconf/db/ibus.d/00-upstream-settings:enable-unconditional=@as [] /etc/dconf/db/ibus.d/00-upstream-settings:triggers-no-modifiers=@as [] /etc/dconf/db/ibus.d/00-upstream-settings:trigger=['Control+space', 'Zenkaku_Hankaku', 'Alt+Kanji', 'Alt+grave', 'Hangul', 'Alt+Release+Alt_R'] /etc/dconf/db/ibus.d/00-upstream-settings:previous-engine=@as [] /etc/dconf/db/ibus.d/00-upstream-settings:prev-engine=@as [] /etc/dconf/db/ibus.d/00-upstream-settings:next-engine-in-menu=['Alt+Shift_L'] /etc/dconf/db/ibus.d/00-upstream-settings:triggers=['<Super>space'] /etc/dconf/db/ibus.d/00-upstream-settings:[desktop/ibus/panel] /etc/dconf/db/ibus.d/00-upstream-settings:x=-1 /etc/dconf/db/ibus.d/00-upstream-settings:y=-1 /etc/dconf/db/ibus.d/00-upstream-settings:lookup-table-orientation=1 /etc/dconf/db/ibus.d/00-upstream-settings:show=0 /etc/dconf/db/ibus.d/00-upstream-settings:show-im-name=false /etc/dconf/db/ibus.d/00-upstream-settings:custom-font='Sans 10' /etc/dconf/db/ibus.d/00-upstream-settings:show-icon-on-systray=true /etc/dconf/db/ibus.d/00-upstream-settings:use-custom-font=false Binary file /etc/dconf/db/gdm matches Binary file /etc/dconf/db/ibus matches I am able login using smartcard using tty. Using gdm it prompts for password first and then prompts for smartcard pin.
so your smartcard-auth file has: auth sufficient pam_sss.so allow_missing_name in it, which is what's asking for password. So this is either an sssd configuration problem or an authconfig bug. CC'ing sumit, since he probably has a better idea, but tentatively assigning to authconfig.
I'll try to reproduce Roshni, with which options did you call authconfig? bye, Sumit
Sumit, I used authconfig UI (authconfig-gtk) to make the change, the only change I made is enabling Smartcard login.
Thank you, I can reproduce the issue. For some reason there is a 'True' in /usr/share/authconfig/authinfo.py in line 755, but it should be 'False'. You might want to try to just edit the files directly and replace the 'True' by 'False'. Pavel, do you remember where you picked the patch added to the RHEL build because it looks both the patch attached to https://bugzilla.redhat.com/show_bug.cgi?id=1378943 and the upstream PR https://pagure.io/authconfig/pull-request/5 say 'False'? Can you also compare the patch added to the RHEL with the one reviewed by Tomas in the PR to see if there are other differences?
Thanks. I made a mistake when resolving conflicts for rhel version. I will fix it.
Using authconfig-6.2.8-23.el7.x86_64 I still see the issue. I am not using sssd but coolkey/opensc and pam_pkcs11 [root@dhcp129-77 ~]# cat /etc/pam.d/smartcard-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_sss.so allow_missing_name auth [success=done ignore=ignore default=die] pam_pkcs11.so nodebug wait_for_card auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account required pam_permit.so password required pam_pkcs11.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so [root@dhcp129-77 ~]# cat /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth [success=1 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_pkcs11.so nodebug auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so [root@dhcp129-77 ~]# cat /etc/pam.d/password-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so [root@dhcp129-77 ~]# cat /etc/sysconfig/authconfig CACHECREDENTIALS=yes FAILLOCKARGS="deny=4 unlock_time=1200" FORCELEGACY=no FORCESMARTCARD=no IPADOMAINJOINED=no IPAV2NONTP=no PASSWDALGORITHM=sha512 USEDB=no USEECRYPTFS=no USEFAILLOCK=no USEFPRINTD=no USEHESIOD=no USEIPAV2=no USEKERBEROS=no USELDAP=no USELDAPAUTH=no USELOCAUTHORIZE=yes USEMKHOMEDIR=no USENIS=no USEPAMACCESS=no USEPASSWDQC=no USEPWQUALITY=yes USESHADOW=yes USESMARTCARD=yes USESSSD=yes USESSSDAUTH=no USESYSNETAUTH=no USEWINBIND=no USEWINBINDAUTH=no WINBINDKRB5=no [root@dhcp129-77 ~]# grep . /etc/dconf/db -R /etc/dconf/db/distro.d/locks/10-authconfig-locks:/org/gnome/login-screen/enable-fingerprint-authentication /etc/dconf/db/distro.d/10-authconfig:# Generated by authconfig on 2017/04/19 11:36:03 /etc/dconf/db/distro.d/10-authconfig:[org/gnome/login-screen] /etc/dconf/db/distro.d/10-authconfig:enable-fingerprint-authentication=false Binary file /etc/dconf/db/site matches Binary file /etc/dconf/db/local matches Binary file /etc/dconf/db/distro matches /etc/dconf/db/ibus.d/00-upstream-settings:# This file is a part of the IBus packaging and should not be changed. /etc/dconf/db/ibus.d/00-upstream-settings:# /etc/dconf/db/ibus.d/00-upstream-settings:# Instead create your own file next to it with a higher numbered prefix, /etc/dconf/db/ibus.d/00-upstream-settings:# and run /etc/dconf/db/ibus.d/00-upstream-settings:# /etc/dconf/db/ibus.d/00-upstream-settings:# dconf update /etc/dconf/db/ibus.d/00-upstream-settings:# /etc/dconf/db/ibus.d/00-upstream-settings:[desktop/ibus/general] /etc/dconf/db/ibus.d/00-upstream-settings:dconf-preserve-name-prefixes=['/desktop/ibus/engine/pinyin', '/desktop/ibus/engine/bopomofo', '/desktop/ibus/engine/hangul'] /etc/dconf/db/ibus.d/00-upstream-settings:preload-engines-inited=false /etc/dconf/db/ibus.d/00-upstream-settings:use-system-keyboard-layout=false /etc/dconf/db/ibus.d/00-upstream-settings:embed-preedit-text=true /etc/dconf/db/ibus.d/00-upstream-settings:enable-by-default=false /etc/dconf/db/ibus.d/00-upstream-settings:use-global-engine=true /etc/dconf/db/ibus.d/00-upstream-settings:preload-engine-mode=0 /etc/dconf/db/ibus.d/00-upstream-settings:use-xmodmap=true /etc/dconf/db/ibus.d/00-upstream-settings:switcher-delay-time=400 /etc/dconf/db/ibus.d/00-upstream-settings:version='' /etc/dconf/db/ibus.d/00-upstream-settings:load-xkb-layouts=['us', 'us(chr)', 'us(dvorak)', 'ad', 'al', 'am', 'ara', 'az', 'ba', 'bd', 'be', 'bg', 'br', 'bt', 'by', 'de', 'dk', 'ca', 'ch', 'cn(tib)', 'cz', 'ee', 'epo', 'es', 'et', 'fi', 'fo', 'fr', 'gb', 'ge', 'ge(dsb)', 'ge(ru)', 'ge(os)', 'gh', 'gh(akan)', 'gh(ewe)', 'gh(fula)', 'gh(ga)', 'gh(hausa)', 'gn', 'gr', 'hu', 'hr', 'ie', 'ie(CloGaelach)', 'il', 'in', 'in(tel)', 'in(bolnagri)', 'iq', 'iq(ku)', 'ir', 'ir(ku)', 'is', 'it', 'jp', 'kg', 'kh', 'kz', 'la', 'latam', 'lk', 'lk(tam_unicode)', 'lt', 'lv', 'ma', 'ma(tifinagh)', 'mal', 'mao', 'me', 'mk', 'mm', 'mt', 'mv', 'ng', 'ng(hausa)', 'ng', 'ng(igbo)', 'ng(yoruba)', 'nl', 'no', 'no(smi)', 'np', 'pk', 'pl', 'pl(csb)', 'pt', 'ro', 'rs', 'ru', 'ru(cv)', 'ru(kom)', 'ru(sah)', 'ru(tt)', 'ru(xal)', 'se', 'si', 'sk', 'sy', 'sy(ku)', 'th', 'tj', 'tr', 'ua', 'uz', 'vn'] /etc/dconf/db/ibus.d/00-upstream-settings:engines-order=@as [] /etc/dconf/db/ibus.d/00-upstream-settings:preload-engines=@as [] /etc/dconf/db/ibus.d/00-upstream-settings:xkb-latin-layouts=['ara', 'bg', 'cz', 'dev', 'gr', 'gur', 'in', 'jp(kana)', 'mal', 'mkd', 'ru', 'ua'] /etc/dconf/db/ibus.d/00-upstream-settings:[desktop/ibus/general/xkblayoutconfig] /etc/dconf/db/ibus.d/00-upstream-settings:east-asia=['dz', 'km', 'lo', 'my', 'th', 'vi'] /etc/dconf/db/ibus.d/00-upstream-settings:center-asia=['bo', 'zh'] /etc/dconf/db/ibus.d/00-upstream-settings:north-europe=['da', 'fi', 'fo', 'is', 'no', 'se', 'sv'] /etc/dconf/db/ibus.d/00-upstream-settings:west-europe=['ca', 'cs', 'de', 'en', 'es', 'fr', 'gd', 'hu', 'it', 'nl', 'pt', 'sk', 'sl'] /etc/dconf/db/ibus.d/00-upstream-settings:group-list=['west_europe', 'south_europe', 'east_europe', 'north_europe', 'west_asia', 'center_asia', 'east_asia', 'india', 'australia'] /etc/dconf/db/ibus.d/00-upstream-settings:south-europe=['bg', 'bs', 'el', 'mk', 'mt', 'ro', 'sq', 'sr'] /etc/dconf/db/ibus.d/00-upstream-settings:west-asia=['am', 'ar', 'az', 'ber', 'fa', 'ha', 'he', 'hy', 'ig', 'ku', 'tg', 'tr', 'yo'] /etc/dconf/db/ibus.d/00-upstream-settings:india=['bn', 'dv', 'gu', 'hi', 'kn', 'ml', 'ne', 'or', 'pa', 'si', 'ta', 'te', 'ur'] /etc/dconf/db/ibus.d/00-upstream-settings:east-europe=['be', 'csb', 'cv', 'et', 'ka', 'kk', 'ky', 'lt', 'lv', 'pl', 'ru', 'tt', 'uk', 'uz'] /etc/dconf/db/ibus.d/00-upstream-settings:australia=['mi'] /etc/dconf/db/ibus.d/00-upstream-settings:[desktop/ibus/general/hotkey] /etc/dconf/db/ibus.d/00-upstream-settings:next-engine=['Alt+Shift_L'] /etc/dconf/db/ibus.d/00-upstream-settings:disable-unconditional=@as [] /etc/dconf/db/ibus.d/00-upstream-settings:enable-unconditional=@as [] /etc/dconf/db/ibus.d/00-upstream-settings:triggers-no-modifiers=@as [] /etc/dconf/db/ibus.d/00-upstream-settings:trigger=['Control+space', 'Zenkaku_Hankaku', 'Alt+Kanji', 'Alt+grave', 'Hangul', 'Alt+Release+Alt_R'] /etc/dconf/db/ibus.d/00-upstream-settings:previous-engine=@as [] /etc/dconf/db/ibus.d/00-upstream-settings:prev-engine=@as [] /etc/dconf/db/ibus.d/00-upstream-settings:next-engine-in-menu=['Alt+Shift_L'] /etc/dconf/db/ibus.d/00-upstream-settings:triggers=['<Super>space'] /etc/dconf/db/ibus.d/00-upstream-settings:[desktop/ibus/panel] /etc/dconf/db/ibus.d/00-upstream-settings:x=-1 /etc/dconf/db/ibus.d/00-upstream-settings:y=-1 /etc/dconf/db/ibus.d/00-upstream-settings:lookup-table-orientation=1 /etc/dconf/db/ibus.d/00-upstream-settings:show=0 /etc/dconf/db/ibus.d/00-upstream-settings:show-im-name=false /etc/dconf/db/ibus.d/00-upstream-settings:custom-font='Sans 10' /etc/dconf/db/ibus.d/00-upstream-settings:show-icon-on-systray=true /etc/dconf/db/ibus.d/00-upstream-settings:use-custom-font=false Binary file /etc/dconf/db/gdm matches Binary file /etc/dconf/db/ibus matches [root@dhcp129-77 ~]# cat /etc/pam_pkcs11/pam_pkcs11.conf # # Configuration file for pam_pkcs11 module # # Version 0.4 # Author: Juan Antonio Martinez <jonsito@teleline.es> # pam_pkcs11 { # Allow empty passwords nullok = true; # Enable debugging support. debug = false; # If the smart card is inserted, only use it card_only = true; # Do not prompt the user for the passwords but take them from the # PAM_ items instead. use_first_pass = false; # Do not prompt the user for the passwords unless PAM_(OLD)AUTHTOK # is unset. try_first_pass = false; # Like try_first_pass, but fail if the new PAM_AUTHTOK has not been # previously set (intended for stacking password modules only). use_authtok = false; # Filename of the PKCS #11 module. The default value is "default" use_pkcs11_module = coolkey; screen_savers = gnome-screensaver,xscreensaver,kscreensaver pkcs11_module coolkey { module = libcoolkeypk11.so; description = "Cool Key" # Slot-number to use. One for the first, two for the second and so # on. The default value is zero which means to use the first slot # with an available token. slot_num = 0; # Path to the directory where the NSS CA certificate database is stored. # you can mange the certs in this database with the certutil command in # the package nss-tools nss_dir = /etc/pki/nssdb; # Sets the Certificate verification policy. # "none" Performs no verification # "ca" Does CA check # "crl_online" Downloads the CRL form the location given by the # CRL distribution point extension of the certificate # "crl_offline" Uses the locally stored CRLs # "crl_auto" Is a combination of online and offline; it first # tries to download the CRL from a possibly given CRL # distribution point and if this fails, uses the local # CRLs # "ocsp_on" Turn on OCSP. # "signature" Does also a signature check to ensure that private # and public key matches # You can use a combination of ca,crl, and signature flags, or just # use "none". cert_policy = ca, signature; } pkcs11_module opensc { module = opensc-pkcs11.so; description = "OpenSC PKCS#11 module"; # Slot-number to use. One for the first, two for the second and so # on. The default value is zero which means to use the first slot # with an available token. slot_num = 0; nss_dir = /etc/pki/nssdb # Path to the directory where the CA certificates are stored. The # directory must contain an openssl hash-link to each certificate. # The default value is /etc/pam_pkcs11/cacerts. ca_dir = /etc/pam_pkcs11/cacerts; # Path to the directory where the CRLs are stored. The directory # must contain an openssl hash-link to each CRL. The default value # is /etc/pam_pkcs11/crls. crl_dir = /etc/pam_pkcs11/crls; # Sets the Certificate Policy, (see above) cert_policy = ca, signature; } # Default pkcs11 module pkcs11_module default { module = /usr/$LIB/pam_pkcs11/pkcs11_module.so; description = "Default pkcs#11 module"; slot_num = 0; ca_dir = /etc/pam_pkcs11/cacerts; crl_dir = /etc/pam_pkcs11/crls; cert_policy = ca, signature; } # Which mappers ( Cert to login ) to use? # you can use several mappers: # # subject - Cert Subject to login file based mapper # pwent - CN to getpwent() login or gecos fields mapper # ldap - LDAP mapper # opensc - Search certificate in ${HOME}/.eid/authorized_certificates # openssh - Search certificate public key in ${HOME}/.ssh/authorized_keys # mail - Compare email fields from certificate # ms - Use Microsoft Universal Principal Name extension # krb - Compare againts Kerberos Principal Name # cn - Compare Common Name (CN) # uid - Compare Unique Identifier # digest - Certificate digest to login (mapfile based) mapper # generic - User defined certificate contents mapped # null - blind access/deny mapper # # You can select a comma-separated mapper list. # If used null mapper should be the last in the list :-) # Also you should select at least one mapper, otherwise # certificate will not match :-) use_mappers = cn, uid, pwent, null; # When no absolute path or module info is provided, use this # value as module search path # TODO: # This is not still functional: use absolute pathnames or LD_LIBRARY_PATH mapper_search_path = /usr/$LIB/pam_pkcs11; # # Generic certificate contents mapper mapper generic { debug = true; module = /usr/$LIB/pam_pkcs11/generic_mapper.so; # ignore letter case on match/compare ignorecase = false; # Use one of "cn" , "subject" , "kpn" , "email" , "upn" or "uid" cert_item = cn; # Define mapfile if needed, else select "none" mapfile = file:///etc/pam_pkcs11/generic_mapping # Decide if use getpwent() to map login use_getpwent = false; } # Certificate Subject to login based mapper # provided file stores one or more "Subject -> login" lines mapper subject { debug = false; # module = /usr/$LIB/pam_pkcs11/subject_mapper.so; module = internal; ignorecase = false; mapfile = file:///etc/pam_pkcs11/subject_mapping; } # Search public keys from $HOME/.ssh/authorized_keys to match users mapper openssh { debug = false; module = /usr/$LIB/pam_pkcs11/openssh_mapper.so; } # Search certificates from $HOME/.eid/authorized_certificates to match users mapper opensc { debug = false; module = /usr/$LIB/pam_pkcs11/opensc_mapper.so; } # Certificate Common Name ( CN ) to getpwent() mapper mapper pwent { debug = false; ignorecase = false; module = internal; # module = /usr/$LIB/pam_pkcs11/pwent_mapper.so; } # Null ( no map ) mapper. when user as finder matchs to NULL or "nobody" mapper null { debug = false; # module = /usr/$LIB/pam_pkcs11/null_mapper.so; module = internal ; # select behavior: always match, or always fail default_match = false; # on match, select returned user default_user = nobody ; } # Directory ( ldap style ) mapper mapper ldap { debug = false; module = /usr/$LIB/pam_pkcs11/ldap_mapper.so; # where base directory resides basedir = /etc/pam_pkcs11/mapdir; # hostname of ldap server ldaphost = "localhost"; # Port on ldap server to connect ldapport = 389; # Scope of search: 0 = x, 1 = y, 2 = z scope = 2; # DN to bind with. Must have read-access for user entries under "base" binddn = "cn=pam,o=example,c=com"; # Password for above DN passwd = "test"; # Searchbase for user entries base = "ou=People,o=example,c=com"; # Attribute of user entry which contains the certificate attribute = "userCertificate"; # Searchfilter for user entry. Must only let pass user entry for the login user. filter = "(&(objectClass=posixAccount)(uid=%s))" } # Assume common name (CN) to be the login mapper cn { debug = false; module = internal; # module = /usr/$LIB/pam_pkcs11/cn_mapper.so; ignorecase = true; mapfile = file:///etc/pam_pkcs11/cn_map; } # mail - Compare email field from certificate mapper mail { debug = false; module = internal; # module = /usr/$LIB/pam_pkcs11/mail_mapper.so; # Declare mapfile or # leave empty "" or "none" to use no map mapfile = file:///etc/pam_pkcs11/mail_mapping; # Some certs store email in uppercase. take care on this ignorecase = true; # Also check that host matches mx domain # when using mapfile this feature is ignored ignoredomain = false; } # ms - Use Microsoft Universal Principal Name extension # UPN is in format login@ADS_Domain. No map is needed, just # check domain name. mapper ms { debug = false; module = internal; # module = /usr/$LIB/pam_pkcs11/ms_mapper.so; ignorecase = false; ignoredomain = false; domain = "domain.com"; } # krb - Compare againts Kerberos Principal Name mapper krb { debug = false; module = internal; # module = /usr/$LIB/pam_pkcs11/krb_mapper.so; ignorecase = false; mapfile = "none"; } # uid - Maps Subject Unique Identifier field (if exist) to login mapper uid { debug = false; module = internal; # module = /usr/$LIB/pam_pkcs11/uid_mapper.so; ignorecase = false; mapfile = "none"; } # digest - elaborate certificate digest and map it into a file mapper digest { debug = false; module = internal; # module = /usr/$LIB/pam_pkcs11/digest_mapper.so; # algorithm used to evaluate certificate digest # Select one of: # "null","md2","md4","md5","sha","sha1","dss","dss1","ripemd160" algorithm = "sha1"; mapfile = file:///etc/pam_pkcs11/digest_mapping; # mapfile = "none"; } }
Roshni, what authconfig options have you used?
Pavel, I have pasted my authconfig info in comment 15 [root@dhcp129-77 ~]# cat /etc/sysconfig/authconfig CACHECREDENTIALS=yes FAILLOCKARGS="deny=4 unlock_time=1200" FORCELEGACY=no FORCESMARTCARD=no IPADOMAINJOINED=no IPAV2NONTP=no PASSWDALGORITHM=sha512 USEDB=no USEECRYPTFS=no USEFAILLOCK=no USEFPRINTD=no USEHESIOD=no USEIPAV2=no USEKERBEROS=no USELDAP=no USELDAPAUTH=no USELOCAUTHORIZE=yes USEMKHOMEDIR=no USENIS=no USEPAMACCESS=no USEPASSWDQC=no USEPWQUALITY=yes USESHADOW=yes USESMARTCARD=yes USESSSD=yes USESSSDAUTH=no USESYSNETAUTH=no USEWINBIND=no USEWINBINDAUTH=no WINBINDKRB5=no
(In reply to Roshni from comment #15) > Using authconfig-6.2.8-23.el7.x86_64 I still see the issue. I am not using > sssd but coolkey/opensc and pam_pkcs11 > > [root@dhcp129-77 ~]# cat /etc/pam.d/smartcard-auth > #%PAM-1.0 > # This file is auto-generated. > # User changes will be destroyed the next time authconfig is run. > auth required pam_env.so > auth sufficient pam_sss.so allow_missing_name I think here is the issue. pam_sss shouldn't be present here. But when trying to re-produce with authconfig-gtk-6.2.8-23.el7.x86_64 authconfig-6.2.8-23.el7.x86_64 I cannot get into this state. I only get the pam_pkcs11 line which is the expected one here. Can you re-test and give me access to the system if you still see pam_sss and pam_pkcs11 together? bye, Sumit > auth [success=done ignore=ignore default=die] pam_pkcs11.so nodebug > wait_for_card > auth required pam_deny.so > > account required pam_unix.so > account sufficient pam_localuser.so > account sufficient pam_succeed_if.so uid < 1000 quiet > account required pam_permit.so > > password required pam_pkcs11.so > > session optional pam_keyinit.so revoke > session required pam_limits.so > -session optional pam_systemd.so > session [success=1 default=ignore] pam_succeed_if.so service in crond > quiet use_uid > session required pam_unix.so
[root@dhcp129-77 ~]# rpm -qi authconfig Name : authconfig Version : 6.2.8 Release : 23.el7 Architecture: x86_64 Install Date: Fri 28 Apr 2017 10:48:45 AM EDT Group : System Environment/Base Size : 2314510 License : GPLv2+ Signature : (none) Source RPM : authconfig-6.2.8-23.el7.src.rpm Build Date : Fri 28 Apr 2017 07:27:25 AM EDT Build Host : x86-030.build.eng.bos.redhat.com Relocations : (not relocatable) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> Vendor : Red Hat, Inc. URL : https://fedorahosted.org/authconfig Summary : Command line tool for setting up authentication from network services no prompt for password seen during gdm login. Everything works as expected.
Just some short explanations. authconfig-gtk does not update any files if there is no change in the configuration, i.e. is behaves similar to 'authconfig --update', and there is no way to force re-writing the files like --updateall option of authconfig does. While testing with the old authconfig version a broken /etc/pam-d/smartcard-auth was created. After updating authconfig-gtk was called and the 'Apply' button was pressed because the 'Smartcard authentication' box was already checked. As explained above no files was changed because the configuration didn't change. To fix the file either authconfig --updateall can be called from the command line or with authconfig-gtk 'Smartcard authentication' must be disable first and the re-enabled in a second step.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2017:2285