You might want to take this discussions on proper mailing lists. I am not the only X maintainer and if i was dead 5 minutes ago noone was going to dig into my inbox.
Thanks Fabio On Wed, 19 May 2004, Chip Coldwell wrote: > Hi, > > I'm having problems using libpam-heimdal (Kerberos v5) with xdm under > Debian (Sarge). I've tracked down the problem precisely, and I am > proposing a specific fix; this isn't a cry for help. > > The symptom is the following. If the file > > /etc/pam.d/xdm > > contains the line > > auth sufficient pam_krb5.so debug > > at the top, the function "pam_setcred" is called twice by xdm, first > in the function Verify at about line 500 in the file > > xc/programs/xdm/greeter/verify.c > > then again in the function StartClient at about line 596 in the file > > xc/programs/xdm/session.c > > What happens is that the function pam_sm_setcred in > libpam-heimdal-1.0/pam_krb5_auth.c checks to see if a Kerberos > credentials cache already exists, and if it does the function fails. > Since it is called twice, the credentials cache is created by the > first call, then the second call causes pam_sm_setcred to fail, and > with it the login fails. > > It turns out that this behavior (checking for the existence of a > credentials cache in pam_sm_setcred and failing if it exists) is added > by a Debian patch, namely the last hunk of "destroy-ticket.patch" that > comes with libpam-heimdal. If I build libpam-heimdal without this > hunk, then everything works fine. In addition, after logging in with > xdm, the credentials cache contains the TGT and host tickets I expect. > > So we should either remove this hunk from libpam-heimdal so that it > doesn't care if the ccache exists already, or xdm should not call > pam_setcred twice (once for authentication and once for session). > > Chip > > -- <user> fajita: step one <fajita> Whatever the problem, step one is always to look in the error log. <user> fajita: step two <fajita> When in danger or in doubt, step two is to scream and shout.
