* Robert Ancell [2014-07-08 04:27:34 -]:
It's not clear if the problem is the way we are using PAM in LightDM
(i.e. insufficient/wrong information for pam-krb5 to do the right thing)
or an assumption by pam-krb5 that is not occurring.
pam_krb5 needs to be told the name of the credentials cache for the session
being unlocked; it can't very well guess it by itself. I believe it looks
for the environment variable KRB5CCNAME. This may need to be made a part of
the session state as seen by LightDM. pam_krb5 will set this variable (to an
unpredictable value) on initial login, so perhaps LightDM should stash its
value somewhere at that time; or else it can be retrieved (but is that
portable enough?) from /proc/pid/environ for the session's main process.
Either way, it needs to be made visible to pam_krb5 at setcred time on unlock.
libpam-krb5/cache.c:pamk5_get_krb5ccname() tries pam_getenv() first, then
regular getenv().
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1336663
Title:
lightdm uses wrong ccache name on pam_krb5 credentials refresh
To manage notifications about this bug go to:
https://bugs.launchpad.net/lightdm/+bug/1336663/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs