This bug was fixed in the package lightdm - 1.10.1-0ubuntu1
---------------
lightdm (1.10.1-0ubuntu1) trusty; urgency=medium
* New upstream release:
- When switching to an existing session refresh PAM credentials and end
session cleanly so no resources leak. (LP: #1296276)
- Update apparmor rules to allow oxide based browsers and Google Chrome to
run in the guest session.
* debian/patches/06_apparmor_chromium_updates.patch:
- Applied upstream
-- Robert Ancell <[email protected]> Mon, 28 Apr 2014 09:56:14
+1200
** Changed in: lightdm (Ubuntu Trusty)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to lightdm in Ubuntu.
https://bugs.launchpad.net/bugs/1296276
Title:
Unlocking with greeter fails to properly renew kerberos tickets with
pam-krb5
Status in Light Display Manager:
Fix Released
Status in Light Display Manager 1.10 series:
Fix Released
Status in “lightdm” package in Ubuntu:
Fix Released
Status in “lightdm” source package in Trusty:
Fix Released
Bug description:
[Impact]
Aborted PAM authentications may leave artifacts behind. This is due to
LightDM not correctly calling pam_end on these.
Authenticating via a LightDM greeter does not refresh PAM credentials.
[Test Case]
1. Lock screen using LightDM greeter
2. Enter password to return to session
Expected result:
Screen is unlocked, credentials are refreshed.
Observed result:
Screen is unlocked, artifacts are left behind from PAM authentication,
credentials not refreshed.
[Regression Potential]
Since this change affects the PAM handling other PAM modules might
potentially have a change in behaviour. This seems low risk as both changes are
correct behaviour over the previously incorrect behaviour.
I am using the pam-krb5 module to log into a Kerberos realm using
lightdm. This works the initial time I log in, when I come in through
lightdm. However, once I am logged in, and I lock the screen using
light-locker, when I unlock the screen I no longer get renewed
tickets.
The problem seems to be this:
-rw------- 1 me me 504 Mar 23 08:37 krb5cc_1000_sjkfhagfg
-rw------- 1 root root 504 Mar 23 08:38 krb5cc_pam_lsdkjhfsdk
So what is happening is that on the initial login, I get a valid
ticket cache, owned by my logging-in user, and showing my UID in the
file name. This ticket works fine. However, once I lock the screen
and then unlock it, I get a ticket cache owned by root, with "_pam_"
in the filename, and of course I can't use it because I am not logged
in as root.
This problem did not occur in 12.04 LTS, probably because it did not
use light-locker. The pam-krb5 module works in all other cases in my
installations, so I do not believe this is any kind of problem with
the pam_krb5 module.
Thanks,
Brian
ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: light-locker 1.2.1-0ubuntu1
ProcVersionSignature: Ubuntu 3.13.0-18.38-generic 3.13.6
Uname: Linux 3.13.0-18-generic x86_64
ApportVersion: 2.13.3-0ubuntu1
Architecture: amd64
Date: Sun Mar 23 08:40:38 2014
InstallationDate: Installed on 2014-03-22 (0 days ago)
InstallationMedia: Ubuntu-Server 14.04 LTS "Trusty Tahr" - Alpha amd64
(20140320)
ProcEnviron:
TERM=xterm
PATH=(custom, no user)
XDG_RUNTIME_DIR=<set>
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: light-locker
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/lightdm/+bug/1296276/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
