Brian Knoll <[email protected]> writes: > I just noticed what appears to be another problem:
> -rw------- 1 myuser mygroup 504 May 12 21:21 krb5cc_0 > -rw------- 1 myuser mygroup 504 May 12 21:16 krb5cc_1000_a8bk3j > While lightdm is renewing the tickets now when unlocking the screen > saver, and the ownership of the ticket is correct, the filename still > appears to be incorrect. Specifically, the filename appears to be > constructed using the user number of the lightdm process, rather than > the user number of the user authenticating to the screen saver. This is the library default ticket cache path for root, which is used if no KRB5CCNAME environment variable is set while renewing ticket caches in a root-owned process, and neither ccache nor ccache_dir are set in the PAM configuration. (For creating a new session, the second file name is used, but when refreshing, one wants to use the same ticket cache that other user processes will use, which is the default ticket cache path when KRB5CCNAME is set. So pam-krb5 is trying to match the behavior of other userspace processes, but since it's running as another user, it doesn't have enough information to know the correct default ticket cache name.) What I assume should happen is that lightdm should somehow inherit the KRB5CCNAME environment variable set for the user session. However, I don't know enough about the architecture to know how that should be properly done. (It's possible that it already does this but there's a setuid program in the loop, in which case the environment variables are ignored. That would require a more complex fix. Let me know if that's the case.) -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1296276 Title: Unlocking with greeter fails to properly renew kerberos tickets with pam-krb5 Status in Light Display Manager: Fix Released Status in Light Display Manager 1.10 series: Fix Released Status in “lightdm” package in Ubuntu: Fix Released Status in “lightdm” source package in Trusty: Fix Released Bug description: [Impact] Aborted PAM authentications may leave artifacts behind. This is due to LightDM not correctly calling pam_end on these. Authenticating via a LightDM greeter does not refresh PAM credentials. [Test Case] 1. Lock screen using LightDM greeter 2. Enter password to return to session Expected result: Screen is unlocked, credentials are refreshed. Observed result: Screen is unlocked, artifacts are left behind from PAM authentication, credentials not refreshed. [Regression Potential] Since this change affects the PAM handling other PAM modules might potentially have a change in behaviour. This seems low risk as both changes are correct behaviour over the previously incorrect behaviour. I am using the pam-krb5 module to log into a Kerberos realm using lightdm. This works the initial time I log in, when I come in through lightdm. However, once I am logged in, and I lock the screen using light-locker, when I unlock the screen I no longer get renewed tickets. The problem seems to be this: -rw------- 1 me me 504 Mar 23 08:37 krb5cc_1000_sjkfhagfg -rw------- 1 root root 504 Mar 23 08:38 krb5cc_pam_lsdkjhfsdk So what is happening is that on the initial login, I get a valid ticket cache, owned by my logging-in user, and showing my UID in the file name. This ticket works fine. However, once I lock the screen and then unlock it, I get a ticket cache owned by root, with "_pam_" in the filename, and of course I can't use it because I am not logged in as root. This problem did not occur in 12.04 LTS, probably because it did not use light-locker. The pam-krb5 module works in all other cases in my installations, so I do not believe this is any kind of problem with the pam_krb5 module. Thanks, Brian ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: light-locker 1.2.1-0ubuntu1 ProcVersionSignature: Ubuntu 3.13.0-18.38-generic 3.13.6 Uname: Linux 3.13.0-18-generic x86_64 ApportVersion: 2.13.3-0ubuntu1 Architecture: amd64 Date: Sun Mar 23 08:40:38 2014 InstallationDate: Installed on 2014-03-22 (0 days ago) InstallationMedia: Ubuntu-Server 14.04 LTS "Trusty Tahr" - Alpha amd64 (20140320) ProcEnviron: TERM=xterm PATH=(custom, no user) XDG_RUNTIME_DIR=<set> LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: light-locker UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/lightdm/+bug/1296276/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
