I use thinlinc to connect to a headless server in the same physical room. I recently got a smartcard and was trying to use it LOCALLY. For a moment I had forgotten I was using Thinlinc. I spent hours and hours trying to figure out why I could read the smartcard ceritificates as root user, but not as my normal user. I was looking at permissions and polkit, etc. I finally realized there was some PCSCTUN_SERVER environment variable set that was interfering. I couldn’t find anything in the p11 or opensc or pcsc documentation about this environment variable. It turns out it must be ThinLinc related.
Is there an option to disable the smart card direction on the server? The admin guide says:
‘Enabling Smart Card Redirection
Smart card redirection is always activated on the server so there is no administration required to enable it.’
Hi @martin - To summarize my original post. I am trying to use a smart card that is connected to the SERVER while I am logged in via the thinlinc client. The thinlinc server installation interferes with using that when logged in by thinlinc client. It has nothing to do with the client side setting.
That’s not a use-case I’ve heard of before, so not sure what’s going on really. But it sounds as a permission problem. Since you’re logged in remotely, your user will probably not have sufficient privileges to access local attached hardware. Polkit will most likely refuse some access. Have you tried enabled debug logging in Polkit and see what it says?
To disable smart card redirection on server-side, it should be sufficient to remove the symlink
I had already made those polkit changes (and also added polkit logging) when I realized something was sitting between the smartcard and my user account. The polkit rules were never even being hit. That is when I realized there was PCSCTUN_SERVER environment variable that was unexpected. I believe thinlinc server is adding that.
I am not sure about using unset LD_LIBRARY_PATH - I am sure I have other libraries that need to be loaded for other purposes. Is there a specific library path I need to be removing related to thinlinc and the smartcard? Maybe just figuring out how the disable the setting of the PCSCTUN_SERVER would be enough.
Sorry, I meant to add to check for any local LD_LiBRARY_PATH first. On my test system there was only path to /opt/thinlinc… added to it. It should be sufficient to remove /opt/thinlinc from LD_LIBRARAY_PATH
Thanks for mentioning the LD_LIBRARY_PATH. Rather than modify that and potentially disable other features (pulse, etc), I ended up doing the following commands:
cd /opt/thinlinc
rm lib64/libpcsclite.so lib64/libpcsclite.so.1 lib64/libpcsctun.so lib/libpcsctun.so lib/libpcsclite.so lib/libpcsclite.so.1
Once I made that change, the polkit entries I had previously made were triggered and I could access the Smartcard.