Source: freerdp3
Version: 3.27.0+dfsg-1
Severity: normal

In debian/rules, there is an explicit check for if the package is building
on Ubuntu, and if so, -DWITH_PKCS11=OFF is passed to the build system:
https://salsa.debian.org/debian-remote-team/freerdp3/-/blob/master/debian/rules?ref_type=heads#L116

The comment above that says this is because Ubuntu doesn't have
pkcs11-helper in main, however, the dependency on libpkcs11-helper1-dev
was removed in b3bb8a993a75f6c17670e27646c934ddfc5f1f99:
https://salsa.debian.org/debian-remote-team/freerdp3/-/commit/b3bb8a993a75f6c17670e27646c934ddfc5f1f99

(and libpkcs11-helper1-dev is also in main).

Building without PKCS11 support breaks smartcard-logon with NLA.

Testing against a Windows Server 2022 VM leads to

  $ wlfreerdp /v:WIN-1F5GLL3AM1S.lab.local /u:Administrator /d:lab.local 
/smartcard-logon

  [14:23:18:881] [24609:00006021] [ERROR][com.freerdp.smartcardlogon] - 
[smartcard_getCert]: no suitable smartcard certificates were found
  [14:23:18:881] [24609:00006021] [ERROR][com.freerdp.core.nla] - 
[nla_adjust_settings_from_smartcard]: unable to get smartcard certificate for 
logon
  [14:23:18:881] [24609:00006021] [ERROR][com.freerdp.core.transport] - 
[transport_connect_nla]: NLA begin failed

while if I explicitly pass the kerberos config flag

  $ wlfreerdp /v:WIN-1F5GLL3AM1S.lab.local /u:Administrator /d:lab.local 
/smartcard-logon 
/kerberos:pkcs11-module:/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so

  [14:23:25:553] [24614:00006026] [WARN][com.winpr.ncrypt] - 
[winpr_NCryptOpenStorageProviderEx]: rebuild with -DWITH_PKCS11=ON to enable 
smartcard logon support
  [14:23:25:553] [24614:00006026] [ERROR][com.freerdp.smartcardlogon] - 
[smartcard_hw_enumerateCerts]: unable to open provider given by pkcs11 module
  [14:23:25:553] [24614:00006026] [ERROR][com.freerdp.core.nla] - 
[nla_adjust_settings_from_smartcard]: unable to get smartcard certificate for 
logon
  [14:23:25:553] [24614:00006026] [ERROR][com.freerdp.core.transport] - 
[transport_connect_nla]: NLA begin failed

Simply removing the -DWITH_PKCS11=OFF from debian/rules and rebuilding
the package allows successful smartcard logon.

Would it be possible to drop the -DWITH_PKCS11=OFF flag from debian/rules?


-- System Information:
Debian Release: forky/sid
  APT prefers resolute-updates
  APT policy: (500, 'resolute-updates'), (500, 'resolute-security'), (500, 
'resolute')
Architecture: amd64 (x86_64)

Kernel: Linux 7.0.0-22-generic (SMP w/24 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Reply via email to