I took a closer look at the code. It looks like whatever is going on here
is more complicated than just the screen locker not using PAM properly,
although there is one error here:
/* If nothing to run just refresh credentials because we successfully
authenticated */
if (command_argc == 0)
{
pam_setcred (pam_handle, PAM_REINITIALIZE_CRED);
return EXIT_SUCCESS;
}
This needs to check the return status of pam_setcred and report any
errors, and it needs to call pam_end like all of the other exit paths of
this function. The lack of a call to pam_end is why the *_pam_* ticket
cache is being leaked.
However, I suspect the actual problem is that this program is being run as
root and isn't told where the user's ticket cache is. I'm curious if
there's another ticket cache that shows up somewhere (probably
/tmp/krb5cc_0) because the credentials are being written out to the
default ticket cache location for root instead of to the user's session
ticket cache as determined by KRB5CCNAME. The problem, in turn, would be
that this program isn't inheriting the environment of the user's session.
I'm not at all clear on exactly how it's run, but it appears to be run as
root rather than as the user, which may indicate that it's being started
by some other system service rather than by the user.
One thing to try is to add "debug" to the arguments of pam_krb5.so in
/etc/pam.d/common-auth and then look in syslog after unlocking the
screen. That should provide much more detail about exactly what the
Kerberos PAM module is trying to do.
--
Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/>
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to lightdm in Ubuntu.
https://bugs.launchpad.net/bugs/1296276
Title:
Unlocking with greeter fails to properly renew kerberos tickets with
pam-krb5
Status in Light Display Manager:
Triaged
Status in “lightdm” package in Ubuntu:
Triaged
Bug description:
I am using the pam-krb5 module to log into a Kerberos realm using
lightdm. This works the initial time I log in, when I come in through
lightdm. However, once I am logged in, and I lock the screen using
light-locker, when I unlock the screen I no longer get renewed
tickets.
The problem seems to be this:
-rw------- 1 me me 504 Mar 23 08:37 krb5cc_1000_sjkfhagfg
-rw------- 1 root root 504 Mar 23 08:38 krb5cc_pam_lsdkjhfsdk
So what is happening is that on the initial login, I get a valid
ticket cache, owned by my logging-in user, and showing my UID in the
file name. This ticket works fine. However, once I lock the screen
and then unlock it, I get a ticket cache owned by root, with "_pam_"
in the filename, and of course I can't use it because I am not logged
in as root.
This problem did not occur in 12.04 LTS, probably because it did not
use light-locker. The pam-krb5 module works in all other cases in my
installations, so I do not believe this is any kind of problem with
the pam_krb5 module.
Thanks,
Brian
ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: light-locker 1.2.1-0ubuntu1
ProcVersionSignature: Ubuntu 3.13.0-18.38-generic 3.13.6
Uname: Linux 3.13.0-18-generic x86_64
ApportVersion: 2.13.3-0ubuntu1
Architecture: amd64
Date: Sun Mar 23 08:40:38 2014
InstallationDate: Installed on 2014-03-22 (0 days ago)
InstallationMedia: Ubuntu-Server 14.04 LTS "Trusty Tahr" - Alpha amd64
(20140320)
ProcEnviron:
TERM=xterm
PATH=(custom, no user)
XDG_RUNTIME_DIR=<set>
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: light-locker
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/lightdm/+bug/1296276/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
