[Bug 1336663] Re: lightdm uses wrong ccache name on pam_krb5 credentials refresh
Russ Allbery
rra at debian.org
Tue Feb 13 02:08:52 UTC 2018
Yes, if KRB5CCNAME were set in the environment of the screen saver, it
would fix this problem.
To be clear, this isn't a bug in libpam-krb5, but in the means by which
the screen saver is launched without the user's environment set properly
(which should be created via the pam_setcred and pam_open_session steps
of the PAM call sequence, and the new user environment generated by
PAM). Without KRB5CCNAME, there's no way for the PAM module to find the
user's ticket cache to renew it on subsequent unlocks; somehow, it does
need that information conveyed to it.
You can work around this by using a predictable ticket cache name that
embeds only the user's UID and setting that as the default ticket cache
(in various ways -- PAM configuration, Kerberos configuration, etc.).
But this isn't a general solution that can be adapted by the package
because it means every user session for the same user uses the same
Kerberos ticket cache, which means that, say, logging on to the system
via ssh and then logging out will delete the ticket cache underneath the
local console login.
** Changed in: libpam-krb5 (Ubuntu)
Status: Confirmed => Invalid
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to libpam-krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1336663
Title:
lightdm uses wrong ccache name on pam_krb5 credentials refresh
Status in gdm:
New
Status in Light Display Manager:
Triaged
Status in libpam-krb5 package in Ubuntu:
Invalid
Status in lightdm package in Ubuntu:
Triaged
Bug description:
As already noted by Brian Knoll in https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1296276/comments/24
lightdm 1.10.1-0ubuntu1 uses an inappropriate credentials cache, /tmp/krb5cc_0, when refreshing Kerberos credentials on screen unlock.
I couldn't find the new bug Robert Ancell called for in
https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1296276/comments/27
so I'm opening one now.
To manage notifications about this bug go to:
https://bugs.launchpad.net/gdm/+bug/1336663/+subscriptions
More information about the foundations-bugs
mailing list