We're using a third party shared library for communication with our smartcards, using
RHEL 8.3. SSSD uses p11 to communicate with the cards, this works fine.
But, when I update the third party lib file to a new version, I can no longer unlock my
Gnome session with the smart card. Debug logs shows the following in p11_child.log:
(2021-02-22 7:55:07): [p11_child[3059726]] [main] (0x0010): --module_name, --token_name
and --key_id must be given for authentication
(2021-02-22 7:55:07): [p11_child[3059726]] [main] (0x0020): p11_child failed!
And in sssd_pam.log:
(2021-02-22 7:55:07): [pam] [parse_p11_child_response] (0x1000): No certificate found.
(2021-02-22 7:55:07): [pam] [pam_forwarder_cert_cb] (0x0020): No certificate returned,
authentication failed.
I can use the smartcard for other actions, like sudo and logging in to a new session, but
not to unlock the existing session. It's like some session specific data no longer is
available or no longer matches when the lib file has changed on disk.
This makes it really hard to update the lib file on our users computers, seeing as doing
so will effectively lock them out of their sessions. Does anyone recognize this behaviour
and is there anything I can do to avoid it?
Regards
Adam Winberg
Show replies by date