Yes, if KRB5CCNAME were set in the environment of the screen saver, it
would fix this problem.

To be clear, this isn't a bug in libpam-krb5, but in the means by which
the screen saver is launched without the user's environment set properly
(which should be created via the pam_setcred and pam_open_session steps
of the PAM call sequence, and the new user environment generated by
PAM).  Without KRB5CCNAME, there's no way for the PAM module to find the
user's ticket cache to renew it on subsequent unlocks; somehow, it does
need that information conveyed to it.

You can work around this by using a predictable ticket cache name that
embeds only the user's UID and setting that as the default ticket cache
(in various ways -- PAM configuration, Kerberos configuration, etc.).
But this isn't a general solution that can be adapted by the package
because it means every user session for the same user uses the same
Kerberos ticket cache, which means that, say, logging on to the system
via ssh and then logging out will delete the ticket cache underneath the
local console login.

** Changed in: libpam-krb5 (Ubuntu)
       Status: Confirmed => Invalid

You received this bug notification because you are a member of Desktop
Packages, which is subscribed to lightdm in Ubuntu.

  lightdm uses wrong ccache name on pam_krb5 credentials refresh

Status in gdm:
Status in Light Display Manager:
Status in libpam-krb5 package in Ubuntu:
Status in lightdm package in Ubuntu:

Bug description:
  As already noted by Brian Knoll in
  lightdm 1.10.1-0ubuntu1 uses an inappropriate credentials cache, 
/tmp/krb5cc_0, when refreshing Kerberos credentials on screen unlock.

  I couldn't find the new bug Robert Ancell called for in
  so I'm opening one now.

To manage notifications about this bug go to:

Mailing list:
Post to     :
Unsubscribe :
More help   :

Reply via email to