What's weird to me is that `modutil -list` shows slot 0 as empty and slot 1 as not empty, and then `p11_child --pre` doesn't try to use slot 1.

Hello everyone. I'm trying to configure smart card login of active directory users on an ubuntu machine. I'm following this guide: https://scriptech.io/linux-enable-smartcard-authentication-against-active... But for me the opensc library cannot talk with my card and I'm using a library that my card provider gave my. My issue right now is that `p11_child --pre --nssdb=/etc/pki/nssdb` fails to pull the certificate from my smart card. I'm able to log in with AD users and their smart cards using `kinit` and `ksu`, so I know the cards are okay. What's weird to me is that `modutil -list` shows slot 0 as empty and slot 1 as not empty, and then `p11_child --pre` doesn't try to use slot 1. Maybe p11_child thinks that if slot 0 is empty then slot 1 must be empty too? Please help! Here are the relevant logs: ``` # modutil -dbdir nssdb -list Listing of PKCS #11 Modules ---------------------------------------------------- 1. NSS Internal #11 Module uri: pkcs11: library-manufacturer=Mozilla%20Foundation; library-description=NSS%20Internal%20Crypto%20Services;library slots: 2 slots attached status: loaded slot: NSS Internal Cryptographic Services token: NSS Generic Crypto Services uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203 slot: NSS User Private Key and Certificate Services token: NSS Certificate DB uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation; serial=0000000000000000;model=NSS%203 2. MyTest library name: mylib.so uri: pkcs11:library-manufacturer=Boring%20Ent.;library-description=Cryptokit%20Extended%20Version;libversion=5.3 slots: 2 slots attached status: loaded slot: [EMPTY] token: uri: pkcs11: slot: Athena ASE IIIe (SBR069-00000) 00 00 token: 918 uri: pkcs11:token=918;manufacturer=Boring%20Ent.;serial=0349B7D30E11024G;model=PKISmartCard%20(A) ``` ``` # p11_child --pre --nssdb=nssdb -d=9 [main] (0x0400): p11_child started. [main] (0x2000): Running in [pre-auth] mode. [main] (0x2000): Running with effective IDs: [0][0]. [do_card] (0x4000): Default Module List: [do_card] (0x4000): common name: INSS Internal PKCS #11 [do_card] (0x4000): dll name: [(null)). [do_card] (0x4000): common name: [MyTest] [do_card] (0x4000): dll name: [Libsadaptor.so]. [do_card] (0x4000): Dead Module List: [do_card] (0x4000): DB Module List: [do_card] (ex4000): common name: [NSS Internal Module]. [do_card] (0x4000): dll name: [(null)]. [do_card] (0x4000): Description [NSS Internal Cryptographic Services Mozilla Foundation] Manufacturer [Mozilla Foundation] flags [9] removable [false] token present [true]. [do_card] (0x4000): Description [NSS User Private Key and Certificate Services Mozilla Foundation] Manufacturer [Mozilla Foundation] flags [1] removable [false] token present [true]. [do_card] (0x4000): Description [[EMPTY] Boring Ent.] Manufacturer [Boring Ent.] flags [2] removable [true] token present [false]. [do_card] (0x4000): Token not present. [main] (0x0040): do-work failed. [main] (Ox0020): p11_child failed! ``` _______________________________________________ sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure