Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1358039 - Coolkey 1.1.0-37 breaks sudo functionality and screensaver unlock of smartcard login.
Summary: Coolkey 1.1.0-37 breaks sudo functionality and screensaver unlock of smartcar...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: coolkey
Version: 6.8
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: rc
: 6.9
Assignee: Bob Relyea
QA Contact: Asha Akkiangady
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-07-19 21:47 UTC by Chinmay Paradkar
Modified: 2017-08-15 00:50 UTC (History)
4 users (show)

Fixed In Version: coolkey-1.1.0-38.el6
Doc Type: Bug Fix
Doc Text:
Cause: The coolkey update in RHEL 6.8 updated the coolkey cache file format, but did not rename the cache file. Consequence: If the new coolkey started with an old cache file it could become confused. Fix: Removing the cache file would clear the old error. Coolkey has benn updated in RHEL 6.9 to use a new name for the cache file so updating coolkey will also solve the issue.
Clone Of:
Environment:
Last Closed: 2017-03-21 11:44:35 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:0776 normal SHIPPED_LIVE coolkey bug fix and enhancement update 2017-03-21 12:48:43 UTC

Description Chinmay Paradkar 2016-07-19 21:47:30 UTC
Description of problem:
Upgrading from coolkey 1.1.0-35 to 1.1.0-37 breaks smart card functionality for sudo functionality and screensaver unlock.  

With coolkey 1.1.0.35 users can login to gnome, open a terminal session and use sudo -i which then prompts the user for the smart card pin to use those credentials to authorize sudo.  

After upgrading to coolkey 1.1.0-37 the sudo command displays the prompt 'Please insert your smart card called "FIRST.LAST.EDIPI"' and freezes there.   additional functionality regarding the gnome screensaver and unlocking with smart cards also fails.

Version-Release number of selected component (if applicable):
coolkey-1.1.0-37

How reproducible:
Always

Steps to Reproduce:
1. Standard setup.
2.
3.

Actual results:
Failure

Expected results:
Work as expected

Additional info:
This appears to be caused by a change in how the coolkey libraries acces files under /var/cache/coolkey. Both versions have the files under this directory with permissions of 600 owner root groupowner of the user. 

Workaround for coolkey 1.1.0-37 is chowning the user's file from root to the user in question fixes the issues.

Comment 4 Matt Titus 2016-09-19 13:04:37 UTC
It appears this extends to gnome based applications which require smart card support as well (IE: Firefox and SmartCard Manager) though only for UID 500 on a fresh installation.  Interestingly enough aside from the broken sudo & su behavior all other pcks11_* testing works as intended.

How reproducible:
Always

Steps to reproduce:
1.  Install OS with 'Basic Desktop'
2.  Install pcsc-lite coolkey and escd
3.  Configure Security device in firefox
3.  Insert SmartCard

Actual results:
No notification that SmartCard is inserted via SmartCard Manager, nor do PKI websites work inside of firefox and the reading of the security device in FireFox fails.

Expected Results:
SmartCard Manager would notify the SmartCard was inserted, Firefox should be able to view details of the card in the security device.

Workaround:
The workaround listed above by altering the ownership of the /var/cache/coolkey file for the user in question corrects this behavior.

Comment 5 Bob Relyea 2016-10-03 22:50:58 UTC
I think this is a problem between the old and new cache values. When you read a card with an old (pre- coolkey-36) cache value coolkey will fail. I'll patch -38 with code that will use a new name for the new cache value to fix this.

In the meantime you can fix the issue by removing /var/cache/coolkey/*.

bob

Comment 6 Bob Relyea 2016-10-11 21:18:57 UTC
fixed in coolkey-1.1.0-38.el6

Comment 8 Roshni 2016-11-21 19:08:49 UTC
root@dhcp129-152 ~]# rpm -qi coolkey
Name        : coolkey                      Relocations: (not relocatable)
Version     : 1.1.0                             Vendor: Red Hat, Inc.
Release     : 38.el6                        Build Date: Tue 04 Oct 2016 08:18:55 PM EDT
Install Date: Wed 16 Nov 2016 02:33:04 PM EST      Build Host: x86-033.build.eng.bos.redhat.com
Group       : System Environment/Libraries   Source RPM: coolkey-1.1.0-38.el6.src.rpm
Size        : 254698                           License: LGPLv2
Signature   : RSA/8, Wed 09 Nov 2016 04:28:50 PM EST, Key ID 938a80caf21541eb
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://directory.fedora.redhat.com/wiki/CoolKey
Summary     : CoolKey PKCS #11 module
Description :
Linux Driver support for the CoolKey and CAC products.


Noticed the following:

1. Add the kerberos user to /etc/sudoers file as follows

root    ALL=(ALL)       ALL
kdcuser2        ALL=(ALL)       ALL

2. Reboot the client and attempt smartcard login. Login fails the following are the log messages

/var/log/messages

Nov 21 13:48:33 dhcp129-152 dbus: [system] Rejected send message, 1 matched rules; type="method_call", sender=":1.27" (uid=42 pid=3672 comm="gnome-power-manager) interface="org.freedesktop.Hal.Device.LaptopPanel" member="SetBrightness" error name="(unset)" requested_reply=0 destination=":1.6" (uid=0 pid=2946 comm="hald))
Nov 21 13:48:36 dhcp129-152 pam: gdm-smartcard: argument card_only is not supported by this module
Nov 21 13:48:36 dhcp129-152 pcscd: ifdhandler.c:1091:IFDHTransmitToICC() usb:076b/3021:libhal:/org/freedesktop/Hal/devices/usb_device_76b_3021_noserial_if0 (lun: 0)
Nov 21 13:48:36 dhcp129-152 pcscd: ifdhandler.c:1091:IFDHTransmitToICC() usb:076b/3021:libhal:/org/freedesktop/Hal/devices/usb_device_76b_3021_noserial_if0 (lun: 0)
Nov 21 13:48:36 dhcp129-152 pcscd: ifdhandler.c:1091:IFDHTransmitToICC() usb:076b/3021:libhal:/org/freedesktop/Hal/devices/usb_device_76b_3021_noserial_if0 (lun: 0)
Nov 21 13:48:36 dhcp129-152 pcscd: ifdhandler.c:1091:IFDHTransmitToICC() usb:076b/3021:libhal:/org/freedesktop/Hal/devices/usb_device_76b_3021_noserial_if0 (lun: 0)
Nov 21 13:48:36 dhcp129-152 pcscd: ifdhandler.c:1091:IFDHTransmitToICC() usb:076b/3021:libhal:/org/freedesktop/Hal/devices/usb_device_76b_3021_noserial_if0 (lun: 0)
Nov 21 13:48:36 dhcp129-152 pcscd: ifdhandler.c:1091:IFDHTransmitToICC() usb:076b/3021:libhal:/org/freedesktop/Hal/devices/usb_device_76b_3021_noserial_if0 (lun: 0)
Nov 21 13:48:42 dhcp129-152 pcscd: ifdhandler.c:1091:IFDHTransmitToICC() usb:076b/3021:libhal:/org/freedesktop/Hal/devices/usb_device_76b_3021_noserial_if0 (lun: 0)
Nov 21 13:48:42 dhcp129-152 pcscd: ifdhandler.c:1091:IFDHTransmitToICC() usb:076b/3021:libhal:/org/freedesktop/Hal/devices/usb_device_76b_3021_noserial_if0 (lun: 0)
Nov 21 13:48:43 dhcp129-152 pcscd: ifdhandler.c:1091:IFDHTransmitToICC() usb:076b/3021:libhal:/org/freedesktop/Hal/devices/usb_device_76b_3021_noserial_if0 (lun: 0)
Nov 21 13:48:43 dhcp129-152 pcscd: ifdhandler.c:1091:IFDHTransmitToICC() usb:076b/3021:libhal:/org/freedesktop/Hal/devices/usb_device_76b_3021_noserial_if0 (lun: 0)
Nov 21 13:48:43 dhcp129-152 pcscd: ifdhandler.c:1091:IFDHTransmitToICC() usb:076b/3021:libhal:/org/freedesktop/Hal/devices/usb_device_76b_3021_noserial_if0 (lun: 0)
Nov 21 13:48:43 dhcp129-152 pcscd: ifdhandler.c:1091:IFDHTransmitToICC() usb:076b/3021:libhal:/org/freedesktop/Hal/devices/usb_device_76b_3021_noserial_if0 (lun: 0)
Nov 21 13:48:43 dhcp129-152 pcscd: ifdhandler.c:1091:IFDHTransmitToICC() usb:076b/3021:libhal:/org/freedesktop/Hal/devices/usb_device_76b_3021_noserial_if0 (lun: 0)
Nov 21 13:48:44 dhcp129-152 nslcd[2851]: [3ab105] failed to bind to LDAP server ldap://qe-blade-06.idmqe.lab.eng.bos.redhat.com:8389: Can't contact LDAP server: Connection refused
Nov 21 13:48:44 dhcp129-152 nslcd[2851]: [3ab105] no available LDAP server found, sleeping 1 seconds
Nov 21 13:48:45 dhcp129-152 nslcd[2851]: [3ab105] failed to bind to LDAP server ldap://qe-blade-06.idmqe.lab.eng.bos.redhat.com:8389: Can't contact LDAP server: Connection refused
Nov 21 13:48:45 dhcp129-152 nslcd[2851]: [3ab105] no available LDAP server found, sleeping 1 seconds
Nov 21 13:48:46 dhcp129-152 nslcd[2851]: [3ab105] failed to bind to LDAP server ldap://qe-blade-06.idmqe.lab.eng.bos.redhat.com:8389: Can't contact LDAP server: Connection refused
Nov 21 13:48:46 dhcp129-152 nslcd[2851]: [3ab105] no available LDAP server found, sleeping 1 seconds
Nov 21 13:48:47 dhcp129-152 nslcd[2851]: [3ab105] failed to bind to LDAP server ldap://qe-blade-06.idmqe.lab.eng.bos.redhat.com:8389: Can't contact LDAP server: Connection refused
Nov 21 13:48:47 dhcp129-152 nslcd[2851]: [3ab105] no available LDAP server found, sleeping 1 seconds
Nov 21 13:48:48 dhcp129-152 nslcd[2851]: [3ab105] failed to bind to LDAP server ldap://qe-blade-06.idmqe.lab.eng.bos.redhat.com:8389: Can't contact LDAP server: Connection refused
Nov 21 13:48:48 dhcp129-152 nslcd[2851]: [3ab105] no available LDAP server found, sleeping 1 seconds
Nov 21 13:48:49 dhcp129-152 nslcd[2851]: [3ab105] failed to bind to LDAP server ldap://qe-blade-06.idmqe.lab.eng.bos.redhat.com:8389: Can't contact LDAP server: Connection refused
Nov 21 13:48:49 dhcp129-152 nslcd[2851]: [3ab105] no available LDAP server found, sleeping 1 seconds
Nov 21 13:48:50 dhcp129-152 nslcd[2851]: [3ab105] failed to bind to LDAP server ldap://qe-blade-06.idmqe.lab.eng.bos.redhat.com:8389: Can't contact LDAP server: Connection refused
Nov 21 13:48:50 dhcp129-152 nslcd[2851]: [3ab105] no available LDAP server found, sleeping 1 seconds
Nov 21 13:48:51 dhcp129-152 nslcd[2851]: [3ab105] failed to bind to LDAP server ldap://qe-blade-06.idmqe.lab.eng.bos.redhat.com:8389: Can't contact LDAP server: Connection refused
Nov 21 13:48:51 dhcp129-152 nslcd[2851]: [3ab105] no available LDAP server found, sleeping 1 seconds
Nov 21 13:48:52 dhcp129-152 nslcd[2851]: [3ab105] failed to bind to LDAP server ldap://qe-blade-06.idmqe.lab.eng.bos.redhat.com:8389: Can't contact LDAP server: Connection refused
Nov 21 13:48:52 dhcp129-152 nslcd[2851]: [3ab105] no available LDAP server found, sleeping 1 seconds
Nov 21 13:48:53 dhcp129-152 nslcd[2851]: [3ab105] failed to bind to LDAP server ldap://qe-blade-06.idmqe.lab.eng.bos.redhat.com:8389: Can't contact LDAP server: Connection refused
Nov 21 13:48:53 dhcp129-152 nslcd[2851]: [3ab105] no available LDAP server found
Nov 21 13:48:53 dhcp129-152 dbus: [system] Rejected send message, 1 matched rules; type="method_call", sender=":1.27" (uid=42 pid=3672 comm="gnome-power-manager) interface="org.freedesktop.Hal.Device.LaptopPanel" member="SetBrightness" error name="(unset)" requested_reply=0 destination=":1.6" (uid=0 pid=2946 comm="hald))


/var/log/secure

Nov 21 13:48:43 dhcp129-152 pam: gdm-smartcard: pam_krb5[3726]: flag: debug
Nov 21 13:48:43 dhcp129-152 pam: gdm-smartcard: pam_krb5[3726]: flags: forwardable
Nov 21 13:48:43 dhcp129-152 pam: gdm-smartcard: pam_krb5[3726]: flag: no ignore_afs
Nov 21 13:48:43 dhcp129-152 pam: gdm-smartcard: pam_krb5[3726]: flag: no null_afs
Nov 21 13:48:43 dhcp129-152 pam: gdm-smartcard: pam_krb5[3726]: flag: cred_session
Nov 21 13:48:43 dhcp129-152 pam: gdm-smartcard: pam_krb5[3726]: flag: user_check
Nov 21 13:48:43 dhcp129-152 pam: gdm-smartcard: pam_krb5[3726]: flag: no krb4_convert
Nov 21 13:48:43 dhcp129-152 pam: gdm-smartcard: pam_krb5[3726]: flag: krb4_convert_524
Nov 21 13:48:43 dhcp129-152 pam: gdm-smartcard: pam_krb5[3726]: flag: krb4_use_as_req
Nov 21 13:48:43 dhcp129-152 pam: gdm-smartcard: pam_krb5[3726]: will try previously set password first
Nov 21 13:48:43 dhcp129-152 pam: gdm-smartcard: pam_krb5[3726]: will not let libkrb5 ask questions
Nov 21 13:48:43 dhcp129-152 pam: gdm-smartcard: pam_krb5[3726]: flag: no use_shmem
Nov 21 13:48:43 dhcp129-152 pam: gdm-smartcard: pam_krb5[3726]: flag: no external
Nov 21 13:48:43 dhcp129-152 pam: gdm-smartcard: pam_krb5[3726]: flag: no multiple_ccaches
Nov 21 13:48:43 dhcp129-152 pam: gdm-smartcard: pam_krb5[3726]: flag: validate
Nov 21 13:48:43 dhcp129-152 pam: gdm-smartcard: pam_krb5[3726]: flag: warn
Nov 21 13:48:43 dhcp129-152 pam: gdm-smartcard: pam_krb5[3726]: ticket lifetime: 3600s (0d,1h,0m,0s)
Nov 21 13:48:43 dhcp129-152 pam: gdm-smartcard: pam_krb5[3726]: renewable lifetime: 10800s (0d,3h,0m,0s)
Nov 21 13:48:43 dhcp129-152 pam: gdm-smartcard: pam_krb5[3726]: banner: Kerberos 5
Nov 21 13:48:43 dhcp129-152 pam: gdm-smartcard: pam_krb5[3726]: ccache dir: /tmp
Nov 21 13:48:43 dhcp129-152 pam: gdm-smartcard: pam_krb5[3726]: ccname template: FILE:%d/krb5cc_%U_XXXXXX
Nov 21 13:48:43 dhcp129-152 pam: gdm-smartcard: pam_krb5[3726]: keytab: FILE:/etc/krb5.keytab
Nov 21 13:48:43 dhcp129-152 pam: gdm-smartcard: pam_krb5[3726]: token strategy: v4,524,2b,rxk5
Nov 21 13:48:43 dhcp129-152 pam: gdm-smartcard: pam_krb5[3726]: called to authenticate 'kdcuser2', realm 'EXAMPLE.COM'
Nov 21 13:48:43 dhcp129-152 pam: gdm-smartcard: pam_krb5[3726]: authenticating 'kdcuser2@EXAMPLE.COM'
Nov 21 13:48:43 dhcp129-152 pam: gdm-smartcard: pam_krb5[3726]: trying previously-entered password for 'kdcuser2'
Nov 21 13:48:43 dhcp129-152 pam: gdm-smartcard: pam_krb5[3726]: authenticating 'kdcuser2@EXAMPLE.COM' to 'krbtgt/EXAMPLE.COM@EXAMPLE.COM'
Nov 21 13:48:44 dhcp129-152 pam: gdm-smartcard: pam_krb5[3726]: krb5_get_init_creds_password(krbtgt/EXAMPLE.COM@EXAMPLE.COM) returned 0 (Success)
Nov 21 13:48:44 dhcp129-152 pam: gdm-smartcard: pam_krb5[3726]: validating credentials
Nov 21 13:48:44 dhcp129-152 pam: gdm-smartcard: pam_krb5[3726]: error reading keytab 'FILE:/etc/krb5.keytab'
Nov 21 13:48:44 dhcp129-152 pam: gdm-smartcard: pam_krb5[3726]: TGT verified
Nov 21 13:48:44 dhcp129-152 pam: gdm-smartcard: pam_krb5[3726]: got result 0 (Success)
Nov 21 13:48:44 dhcp129-152 pam: gdm-smartcard: pam_krb5[3816]: saving v5 credentials to 'MEMORY:_pam_krb5_tmp_s_kdcuser2@EXAMPLE.COM-0' for internal use
Nov 21 13:48:44 dhcp129-152 pam: gdm-smartcard: pam_krb5[3816]: copied credentials from "MEMORY:_pam_krb5_tmp_s_kdcuser2@EXAMPLE.COM-0" to "FILE:/tmp/krb5cc_501_sbxC6P" for the user, destroying "MEMORY:_pam_krb5_tmp_s_kdcuser2@EXAMPLE.COM-0"
Nov 21 13:48:44 dhcp129-152 pam: gdm-smartcard: pam_krb5[3816]: created v5 ccache 'FILE:/tmp/krb5cc_501_dA2AcU' for 'kdcuser2'
Nov 21 13:48:44 dhcp129-152 pam: gdm-smartcard: pam_krb5[3816]: krb5_kuserok() says 1
Nov 21 13:48:44 dhcp129-152 pam: gdm-smartcard: pam_krb5[3816]: removing ccache 'FILE:/tmp/krb5cc_501_dA2AcU'
Nov 21 13:48:44 dhcp129-152 pam: gdm-smartcard: pam_krb5[3816]: destroyed ccache 'FILE:/tmp/krb5cc_501_dA2AcU'
Nov 21 13:48:44 dhcp129-152 pam: gdm-smartcard: pam_krb5[3726]: 'kdcuser2@EXAMPLE.COM' passes .k5login check for 'kdcuser2'
Nov 21 13:48:44 dhcp129-152 pam: gdm-smartcard: pam_krb5[3726]: authentication succeeds for 'kdcuser2' (kdcuser2@EXAMPLE.COM)
Nov 21 13:48:44 dhcp129-152 pam: gdm-smartcard: pam_krb5[3726]: pam_authenticate returning 0 (Success)
Nov 21 13:48:53 dhcp129-152 pam: gdm-smartcard: pam_unix(gdm-smartcard:account): could not identify user (from getpwnam(kdcuser2))
Nov 21 13:48:53 dhcp129-152 pam: gdm-smartcard: pam_krb5[3726]: flag: debug
Nov 21 13:48:53 dhcp129-152 pam: gdm-smartcard: pam_krb5[3726]: flags: forwardable
Nov 21 13:48:53 dhcp129-152 pam: gdm-smartcard: pam_krb5[3726]: flag: no ignore_afs
Nov 21 13:48:53 dhcp129-152 pam: gdm-smartcard: pam_krb5[3726]: flag: no null_afs
Nov 21 13:48:53 dhcp129-152 pam: gdm-smartcard: pam_krb5[3726]: flag: cred_session
Nov 21 13:48:53 dhcp129-152 pam: gdm-smartcard: pam_krb5[3726]: flag: user_check
Nov 21 13:48:53 dhcp129-152 pam: gdm-smartcard: pam_krb5[3726]: flag: no krb4_convert
Nov 21 13:48:53 dhcp129-152 pam: gdm-smartcard: pam_krb5[3726]: flag: krb4_convert_524
Nov 21 13:48:53 dhcp129-152 pam: gdm-smartcard: pam_krb5[3726]: flag: krb4_use_as_req
Nov 21 13:48:53 dhcp129-152 pam: gdm-smartcard: pam_krb5[3726]: will try previously set password first
Nov 21 13:48:53 dhcp129-152 pam: gdm-smartcard: pam_krb5[3726]: will ask for a password if that fails
Nov 21 13:48:53 dhcp129-152 pam: gdm-smartcard: pam_krb5[3726]: will let libkrb5 ask questions
Nov 21 13:48:53 dhcp129-152 pam: gdm-smartcard: pam_krb5[3726]: flag: no use_shmem
Nov 21 13:48:53 dhcp129-152 pam: gdm-smartcard: pam_krb5[3726]: flag: no external
Nov 21 13:48:53 dhcp129-152 pam: gdm-smartcard: pam_krb5[3726]: flag: no multiple_ccaches
Nov 21 13:48:53 dhcp129-152 pam: gdm-smartcard: pam_krb5[3726]: flag: validate
Nov 21 13:48:53 dhcp129-152 pam: gdm-smartcard: pam_krb5[3726]: flag: warn
Nov 21 13:48:53 dhcp129-152 pam: gdm-smartcard: pam_krb5[3726]: ticket lifetime: 3600s (0d,1h,0m,0s)
Nov 21 13:48:53 dhcp129-152 pam: gdm-smartcard: pam_krb5[3726]: renewable lifetime: 10800s (0d,3h,0m,0s)
Nov 21 13:48:53 dhcp129-152 pam: gdm-smartcard: pam_krb5[3726]: banner: Kerberos 5
Nov 21 13:48:53 dhcp129-152 pam: gdm-smartcard: pam_krb5[3726]: ccache dir: /tmp
Nov 21 13:48:53 dhcp129-152 pam: gdm-smartcard: pam_krb5[3726]: ccname template: FILE:%d/krb5cc_%U_XXXXXX
Nov 21 13:48:53 dhcp129-152 pam: gdm-smartcard: pam_krb5[3726]: keytab: FILE:/etc/krb5.keytab
Nov 21 13:48:53 dhcp129-152 pam: gdm-smartcard: pam_krb5[3726]: token strategy: v4,524,2b,rxk5
Nov 21 13:48:53 dhcp129-152 pam: gdm-smartcard: pam_krb5[3726]: account management succeeds for 'kdcuser2'
Nov 21 13:48:53 dhcp129-152 pam: gdm-smartcard: pam_krb5[3827]: saving v5 credentials to 'MEMORY:_pam_krb5_tmp_s_kdcuser2@EXAMPLE.COM-0' for internal use
Nov 21 13:48:53 dhcp129-152 pam: gdm-smartcard: pam_krb5[3827]: copied credentials from "MEMORY:_pam_krb5_tmp_s_kdcuser2@EXAMPLE.COM-0" to "FILE:/tmp/krb5cc_501_qFJMPR" for the user, destroying "MEMORY:_pam_krb5_tmp_s_kdcuser2@EXAMPLE.COM-0"
Nov 21 13:48:53 dhcp129-152 pam: gdm-smartcard: pam_krb5[3827]: created v5 ccache 'FILE:/tmp/krb5cc_501_BSZaEW' for 'kdcuser2'
Nov 21 13:48:53 dhcp129-152 pam: gdm-smartcard: pam_krb5[3827]: krb5_kuserok() says 1
Nov 21 13:48:53 dhcp129-152 pam: gdm-smartcard: pam_krb5[3827]: removing ccache 'FILE:/tmp/krb5cc_501_BSZaEW'
Nov 21 13:48:53 dhcp129-152 pam: gdm-smartcard: pam_krb5[3827]: destroyed ccache 'FILE:/tmp/krb5cc_501_BSZaEW'
Nov 21 13:48:53 dhcp129-152 pam: gdm-smartcard: pam_krb5[3726]: 'kdcuser2@EXAMPLE.COM' passes .k5login check for 'kdcuser2'
Nov 21 13:48:53 dhcp129-152 pam: gdm-smartcard: pam_krb5[3726]: pam_acct_mgmt returning 0 (Success)


I am not sure what exactly is causing this issue. Because I do see the same even after removing kerberos user from the sudoers file. But after multiple restarts the smartcard login is successful.

Comment 9 Roshni 2016-11-30 15:46:14 UTC
Adding TestBlocker because of the issue explained in comment 8, I am unable to do further testing using smartcards unless the OS is re-installed.

Comment 10 Bob Relyea 2016-12-13 02:09:14 UTC
So I've tried this on my machine, and I'm able to add my user to sudo list and still log in. The difference is I'm using cn= not kerberos. I think I'll have to look at your machine to see what is going on.

Comment 11 Roshni 2016-12-13 20:33:14 UTC
[root@dhcp129-152 ~]# rpm -qi coolkey
Name        : coolkey                      Relocations: (not relocatable)
Version     : 1.1.0                             Vendor: Red Hat, Inc.
Release     : 39.el6                        Build Date: Wed 07 Dec 2016 07:31:44 PM EST
Install Date: Mon 12 Dec 2016 01:31:40 PM EST      Build Host: x86-033.build.eng.bos.redhat.com
Group       : System Environment/Libraries   Source RPM: coolkey-1.1.0-39.el6.src.rpm
Size        : 254698                           License: LGPLv2
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://directory.fedora.redhat.com/wiki/CoolKey
Summary     : CoolKey PKCS #11 module

Verification steps:

1. Modify /etc/pam.d/system-auth as follows

auth        required      pam_env.so
auth        [success=3 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver:sudo quiet use_uid
auth        [success=ok authinfo_unavail=2 ignore=2 default=die] pam_pkcs11.so card_only
auth        optional      pam_krb5.so use_first_pass no_subsequent_prompt preauth_options=X509_user_identity=PKCS11:/usr/lib64/pkcs11/libcoolkeypk11.so
auth        sufficient    pam_permit.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5.so use_first_pass
auth        required      pam_deny.so

2. Login using smartcard with the kerberos user

3. 
sh-4.1$ sudo yum -y install gcc
Found the Smart card.
Welcome kdcuser30!
Smart card PIN: 
Loaded plugins: product-id, refresh-packagekit, search-disabled-repos, security,
              : subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager to register.
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package gcc.x86_64 0:4.4.7-18.el6 will be installed
--> Processing Dependency: cpp = 4.4.7-18.el6 for package: gcc-4.4.7-18.el6.x86_64
--> Processing Dependency: cloog-ppl >= 0.15 for package: gcc-4.4.7-18.el6.x86_64
--> Running transaction check
---> Package cloog-ppl.x86_64 0:0.15.7-1.2.el6 will be installed
--> Processing Dependency: libppl.so.7()(64bit) for package: cloog-ppl-0.15.7-1.2.el6.x86_64
--> Processing Dependency: libppl_c.so.2()(64bit) for package: cloog-ppl-0.15.7-1.2.el6.x86_64
---> Package cpp.x86_64 0:4.4.7-18.el6 will be installed
--> Processing Dependency: libmpfr.so.1()(64bit) for package: cpp-4.4.7-18.el6.x86_64
--> Running transaction check
---> Package mpfr.x86_64 0:2.4.1-6.el6 will be installed
---> Package ppl.x86_64 0:0.10.2-11.el6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package           Arch           Version                  Repository      Size
================================================================================
Installing:
 gcc               x86_64         4.4.7-18.el6             RHEL69          10 M
Installing for dependencies:
 cloog-ppl         x86_64         0.15.7-1.2.el6           RHEL69          93 k
 cpp               x86_64         4.4.7-18.el6             RHEL69         3.7 M
 mpfr              x86_64         2.4.1-6.el6              RHEL69         156 k
 ppl               x86_64         0.10.2-11.el6            RHEL69         1.3 M

Transaction Summary
================================================================================
Install       5 Package(s)

Total download size: 15 M
Installed size: 33 M
Downloading Packages:
(1/5): cloog-ppl-0.15.7-1.2.el6.x86_64.rpm               |  93 kB     00:00     
(2/5): cpp-4.4.7-18.el6.x86_64.rpm                       | 3.7 MB     00:00     
(3/5): gcc-4.4.7-18.el6.x86_64.rpm                       |  10 MB     00:00     
(4/5): mpfr-2.4.1-6.el6.x86_64.rpm                       | 156 kB     00:00     
(5/5): ppl-0.10.2-11.el6.x86_64.rpm                      | 1.3 MB     00:00     
--------------------------------------------------------------------------------
Total                                            20 MB/s |  15 MB     00:00     
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : mpfr-2.4.1-6.el6.x86_64                                      1/5 
  Installing : cpp-4.4.7-18.el6.x86_64                                      2/5 
  Installing : ppl-0.10.2-11.el6.x86_64                                     3/5 
  Installing : cloog-ppl-0.15.7-1.2.el6.x86_64                              4/5 
  Installing : gcc-4.4.7-18.el6.x86_64                                      5/5 
  Verifying  : gcc-4.4.7-18.el6.x86_64                                      1/5 
  Verifying  : ppl-0.10.2-11.el6.x86_64                                     2/5 
  Verifying  : cloog-ppl-0.15.7-1.2.el6.x86_64                              3/5 
  Verifying  : mpfr-2.4.1-6.el6.x86_64                                      4/5 
  Verifying  : cpp-4.4.7-18.el6.x86_64                                      5/5 

Installed:
  gcc.x86_64 0:4.4.7-18.el6                                                     

Dependency Installed:
  cloog-ppl.x86_64 0:0.15.7-1.2.el6          cpp.x86_64 0:4.4.7-18.el6          
  mpfr.x86_64 0:2.4.1-6.el6                  ppl.x86_64 0:0.10.2-11.el6         

Complete!

Comment 13 errata-xmlrpc 2017-03-21 11:44:35 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2017-0776.html


Note You need to log in before you can comment on or make changes to this bug.