Why unlocking the user session locked by screensaver, using smartcard fails?

Solution Verified - Updated -

Issue

  • After screensaver locks the screen, or user session being locked manually, it prompts for smartcard PIN to unlock the screen. Entering the PIN, system always responds with: "Authentication Failed".
  • PIN is correct as CaC does not get locked. To confirm, click on "Switch User", which prompts for "Smartcard Authentication". Entering the same PIN, screen unlocks.
  • Debugging enabled for pam_pkcs11 and respective mapper, generates below log, when unlocking screen fails:
 Jan 25 08:14:13  gnome-screensaver-dialog: CN mapper started. debug: 1, mapfile: file:///etc/pam_pkcs11/cn_map, icase: 1
Jan 25 08:14:13  gnome-screensaver-dialog: UniqueID mapper started. debug: 1, mapfile: none, icase: 0
Jan 25 08:14:13  gnome-screensaver-dialog: pwent mapper started
Jan 25 08:14:13  gnome-screensaver-dialog: Null mapper match set to 'never'
Jan 25 08:14:13  gnome-screensaver-dialog: trying to map & match CN entry '<cn-name>'
Jan 25 08:14:13  gnome-screensaver-dialog: Using mapping file: 'file:///etc/pam_pkcs11/cn_map' to search '<cn-name>'
Jan 25 08:14:13  gnome-screensaver-dialog: parsing uri:
Jan 25 08:14:13  gnome-screensaver-dialog: protocol = [file]
Jan 25 08:14:13  gnome-screensaver-dialog: user = [(null)]
Jan 25 08:14:13  gnome-screensaver-dialog: password = [(null)]
Jan 25 08:14:13  gnome-screensaver-dialog: host = []
Jan 25 08:14:13  gnome-screensaver-dialog: port = [(null)]
Jan 25 08:14:13  gnome-screensaver-dialog: path = [/etc/pam_pkcs11/cn_map]
Jan 25 08:14:13  gnome-screensaver-dialog: opening...
Jan 25 08:14:13  gnome-screensaver-dialog: get_from_uri() error: get_file() failed: open() failed: Permission denied
Jan 25 08:14:13  gnome-screensaver-dialog: Error processing mapfile file:///etc/pam_pkcs11/cn_map
Jan 25 08:14:13  gnome-screensaver-dialog: get_unique_id() failed
Jan 25 08:14:13  gnome-screensaver-dialog: Trying to match pw_entry for cn '<cn-name>'
Jan 25 08:14:13  gnome-screensaver-dialog: CN '<cn-name>' doesn't match login '<user-name>'
Jan 25 08:14:13  gnome-screensaver-dialog: Provided user doesn't match to any found Common Name

Environment

  • Red Hat Enterprise Linux 6
  • pam_pkcs11
  • gnome-screensaver

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content