On Wed, Dec 11, 2019 at 12:53:46PM +0100, Winfried de Heiden via FreeIPA-users wrote:
Running FreeIPA 4.7.1, on CentOS 8, I configured IPA-server to use
smartcard login follwoing
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...
I configured a CentOS 8 machine to use smartcard-login. After
configuring the IPA-client, running the scripts produced by ipa-advise
will show an error:
./config-client-for-smart-card-auth.sh /etc/ipa/ca.crt
~
ERROR: Failed to add module "OpenSC". Probable cause : "Unknown PKCS
#11 error.".
Systemwide CA database updated.
Systemwide CA database updated.
The ipa-certupdate command was successful
Logging in a Yubikey 5 works fine. The error is caused by this line:
echo "" | modutil -dbdir /etc/pki/nssdb -add "OpenSC" -libfile
/usr/lib64/opensc-pkcs11.so
Now, what going on here and can this error really be ignored?
Is it worth to create a Bugzilla?
Same error also aoocurs on a fresh RHEL 8.1 machine.
Hi,
I think this message can be ignored, the full message is:
# echo "" | modutil -dbdir /etc/pki/nssdb -add "OpenSC" -libfile
/usr/lib64/opensc-pkcs11.so
WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type
'q <enter>' to abort, or <enter> to continue:
WARNING: Manually adding a module while p11-kit is enabled could cause
duplicate module registration in your security database. It is suggested
to configure the module through p11-kit configuration file instead.
Type 'q <enter>' to abort, or <enter> to continue:
ERROR: Failed to add module "OpenSC". Probable cause : "Unknown PKCS #11
error.".
So it basically says that the PKCS#11 module should be configured via p11-kit
and OpenSC be default is.
/etc/pki/nssdb isn't that important for Smartcard authentication on RHEL8
anymore, it is mainly used by gdm to detect is a Smartcard was inserted or
removed.
HTH
bye,
Sumit
Winfried
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...