* Robert Ancell [2014-07-08 04:27:34 -0000]: > It's not clear if the problem is the way we are using PAM in LightDM > (i.e. insufficient/wrong information for pam-krb5 to do the right thing) > or an assumption by pam-krb5 that is not occurring.
pam_krb5 needs to be told the name of the credentials cache for the session being unlocked; it can't very well guess it by itself. I believe it looks for the environment variable KRB5CCNAME. This may need to be made a part of the session state as seen by LightDM. pam_krb5 will set this variable (to an unpredictable value) on initial login, so perhaps LightDM should stash its value somewhere at that time; or else it can be retrieved (but is that portable enough?) from /proc/<pid>/environ for the session's main process. Either way, it needs to be made visible to pam_krb5 at setcred time on unlock. libpam-krb5/cache.c:pamk5_get_krb5ccname() tries pam_getenv() first, then regular getenv(). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1336663 Title: lightdm uses wrong ccache name on pam_krb5 credentials refresh To manage notifications about this bug go to: https://bugs.launchpad.net/lightdm/+bug/1336663/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
