FWIW, this issue is also present using gdm3 in Ubuntu 16.04. With
pam_krb5's debug option set, I see the following during initial login
(with successful credential cache construction):
gdm-password]: pam_krb5(gdm-password:auth): pam_sm_authenticate: entry
gdm-password]: pam_krb5(gdm-password:auth): (user cgallek) attempting
authentication as cgal...@xxxx.com
gdm-password]: pam_krb5(gdm-password:auth): user cgallek authenticated as
cgal...@xxxx.com
gdm-password]: pam_krb5(gdm-password:auth): (user cgallek) temporarily storing
credentials in /tmp/krb5cc_pam_LB8CeL
gdm-password]: pam_krb5(gdm-password:auth): pam_sm_authenticate: exit (success)
gdm-password]: pam_krb5(gdm-password:setcred): pam_sm_setcred: entry (establish)
gdm-password]: pam_krb5(gdm-password:setcred): (user cgallek) initializing
ticket cache FILE:/tmp/krb5cc_1000_3BiTY0
gdm-password]: pam_krb5(gdm-password:setcred): pam_sm_setcred: exit (success)
When unlocking the screen, I see the following successful credential refresh,
but to the wrong cache filename (/tmp/krb5cc_0):
gdm-password]: pam_krb5(gdm-password:auth): pam_sm_authenticate: entry
gdm-password]: pam_krb5(gdm-password:auth): (user cgallek) attempting
authentication as cgal...@angrydoughnuts.com
gdm-password]: pam_krb5(gdm-password:auth): user cgallek authenticated as
cgal...@xxxx.com
gdm-password]: pam_krb5(gdm-password:auth): (user cgallek) temporarily storing
credentials in /tmp/krb5cc_pam_Dkg5Ip
gdm-password]: pam_krb5(gdm-password:auth): pam_sm_authenticate: exit (success)
gdm-password]: pam_krb5(gdm-password:setcred): pam_sm_setcred: entry (reinit)
gdm-password]: pam_krb5(gdm-password:setcred): (user cgallek) refreshing ticket
cache /tmp/krb5cc_0
gdm-password]: pam_krb5(gdm-password:setcred): pam_sm_setcred: exit (success)
The _0 cache that is created has the correct new credential in it, but
is obviously not known by any other process as it does not match the
earlier version of $KRB5CCNAME. I imagine this is the same issue
described above where the $KRB5CCNAME environment variable is not
available in the gdm context which unlocks the screen.
It's worth noting that in the GDM case, there appears to be a per-
session helper process (gdm-session-worker) used to communicate with the
GDM service. This process _does not_ have the $KRB5CCNAME variable set
in its environment. Would storing the value in this processes
environment fix the problem?
~: ps -ef | grep gdm-session-worker
root 11364 11203 0 Jun25 ? 00:00:00 gdm-session-worker
[pam/gdm-password]
~: cat /proc/11364/environ
LANG=en_US.UTF-8PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/binGDM_SESSION_DBUS_ADDRESS=unix:abstract=/tmp/dbus-oTnmcExV
** Also affects: gdm
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to lightdm in Ubuntu.
https://bugs.launchpad.net/bugs/1336663
Title:
lightdm uses wrong ccache name on pam_krb5 credentials refresh
Status in gdm:
New
Status in Light Display Manager:
Triaged
Status in libpam-krb5 package in Ubuntu:
Confirmed
Status in lightdm package in Ubuntu:
Triaged
Bug description:
As already noted by Brian Knoll in
https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1296276/comments/24
lightdm 1.10.1-0ubuntu1 uses an inappropriate credentials cache,
/tmp/krb5cc_0, when refreshing Kerberos credentials on screen unlock.
I couldn't find the new bug Robert Ancell called for in
https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1296276/comments/27
so I'm opening one now.
To manage notifications about this bug go to:
https://bugs.launchpad.net/gdm/+bug/1336663/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
