Description of problem:


Version-Release number of selected component (if applicable):

This is about ipa-advise script. In our docs [1] we ask customers to run the
following sequence of commands to generate an ipa-advise script that they can
then execute on their clients:

# ipa-advise config-client-for-smart-card-auth > client_smart_card_script.sh #
then copy the script to the client
# chmod +x client_smart_card_script.sh
# ./client_smart_card_script.sh CA_cert.pem

The script then uses the following code to check if OpenSC module is already
loaded and in case it's not it loads the module:

systemctl start pcscd.service pcscd.socket && systemctl enable pcscd.service
pcscd.socket
if modutil -dbdir /etc/pki/nssdb -list | grep -q OpenSC
then
  echo "OpenSC PKCS#11 module already configured"
else
  echo "" | modutil -dbdir /etc/pki/nssdb -add "OpenSC" -libfile
/usr/lib64/opensc-pkcs11.so
fi

The problem is that the OpenSC module is managed by p11-kit (since rhel-8.1
iirc) and is not directly loaded by modutil anymore. As a result, when the
script is executed, the following error pops up:

ERROR: Failed to add module "OpenSC". Probable cause : "Unknown PKCS #11
error.".

This is confusing and should be avoided. It's clear that the script is also
used on non RHEL machines where p11-kit might not be available, there I would
recommend to conditionally run the command based on the environment where the
script is executed.

[1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/ht
ml/system_design_guide/configuring-applications-to-use-cryptographic-hardware-t
hrough-pkcs-11_system-design-guide
Expected results:

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Additional info:

Once p11-kit has loaded the OpenSC module, it shows up (together with the token
when available) in the 'p11-kit list-modules' output but not in 'modutil -dbdir
/etc/pki/nssdb -list' output.