Description of problem: Authentication configuration has screen lock set for smart card authentication. The Screen is not locked when the Gemalto 64K smart card is removed. Version-Release number of selected component (if applicable): gnome-screensaver-2.16.1-8.el5_7.5 coolkey-1.1.0-16.1.el5 ccid-1.3.8-2.el5 RHEL 5.10 How reproducible: always Steps to Reproduce: 1. Smart Card authentication configuration should have setting Lock screen 2. Restart the machine and relogin using the smart card 3. Remove the Smart Card Actual results: Screen does not lock when card is removed. Expected results: Screen should be locked and prompt for Smart Card pin. Additional info:
why is this filed against gnome-desktop? That's clearly the wrong component. It looks like coolkey was updated for 5.10, so that's the most likely candidate. reassigning.
You have a machine that actually exhibits this problem. I have not been able to reproduce this... I'd like to be able to poke at the machine... Thanks, bob
https://bugzilla.redhat.com/show_bug.cgi?id=950716 may be related.
Is that regression or something what was present even in RHEL-5.9? We are now in RC blocker phase.
This is a regression. It was not in RHEL 5.9.
I actually think it's not a regression, it's a very difficult to reproduce issue. There are customer reports on RHEL 5.9 that report similiar issues. I bring that up primarily because the issue may not have been caused by a changed component, but may exist in some component that wasn't changed in the RHEL 5.10 timeframe. The fact that we have a reproducer is big! bob
This turns out to be an environmental issue. It appears that somehow the dynamic load library path is messed up in gnome screen saver, so coolkey isn't getting loaded from opening /etc/pki/nssdb like it does in other apps. gnome screen-saver has a backup, where it explicitly loads libcoolkey, but that is failing because of a bug. I'll attached a patch that resolves the previous but, and restores unlock behavior in gnome screensaver. PS this doesn't appear to have anything to do with the potential related bug I listed in comment 4. bob
Created attachment 790712 [details] Fix the backup coolkey load code to actually load coolkey Here's a patch for gnome-screensaver that fixed the problem.
a bummer that it's not the related bug. thank you for investigating. Roshni, did you change LD_LIBRARY_PATH in your ~/.bashrc or ~/.bash_profile?
Ray, I did not change anything in the files specified in comment 14.
Do you mind pasting the output of strings /proc/$(/sbin/pidof gnome-screensaver)/environ ?
Also noticed, if the "Lock Screen when card is removed" is set, after logging in with the smart the screen locks even when the card is still inserted and have to log in again.
roshni, do you mind pasting the output of strings /proc/$(/sbin/pidof gnome-screensaver)/environ ?
Ray, This issue should be release noted, could you add the details to RHEL 5.10 release note? thanks, Asha
sh-3.2$ strings /proc/$(/sbin/pidof gnome-screensaver)/environ SSH_AGENT_PID=4313 HOSTNAME=dhcp129-114.rdu.redhat.com TERM=dumb SHELL=/bin/sh HISTSIZE=1000 USER=kdcuser2 LS_COLORS= PKCS11_LOGIN_CERT_ISSUER=CN=Certificate Authority,OU=pki-ca,O=IdmLabEngRduRedhat Domain SSH_AUTH_SOCK=/tmp/ssh-Tywfbc4277/agent.4277 USERNAME=kdcuser2 PKCS11_LOGIN_CERT_SERIAL=2B MAIL=/var/spool/mail/kdcuser2 PATH=/usr/kerberos/bin:/usr/local/bin:/usr/bin:/bin:/usr/X11R6/bin DESKTOP_SESSION=default GDM_XSERVER_LOCATION=local INPUTRC=/etc/inputrc PWD=/home/kdcuser2 XMODIFIERS=@im=none LANG=en_US.UTF-8 GDMSESSION=default SSH_ASKPASS=/usr/libexec/openssh/gnome-ssh-askpass SHLVL=1 HOME=/home/kdcuser2 PKCS11_LOGIN_TOKEN_NAME=kdcuser2 LOGNAME=kdcuser2 LESSOPEN=|/usr/bin/lesspipe.sh %s DISPLAY=:0 G_BROKEN_FILENAMES=1 XAUTHORITY=/tmp/.gdm5CPAGX _=/usr/bin/dbus-launch DBUS_STARTER_ADDRESS=unix:abstract=/tmp/dbus-ZzFtG4sAFv,guid=8a569c636f32102dea997f00537242a6 DBUS_STARTER_BUS_TYPE=session DBUS_SESSION_BUS_ADDRESS=unix:abstract=/tmp/dbus-ZzFtG4sAFv,guid=8a569c636f32102dea997f00537242a6