This problem affects us, and is quite severe: Kerberized NFS cannot work
reliably and securely with lxdm unless it is fixed. Because the
Kerberos cache is discarded, users cannot reliably get access to
Kerberos-protected home directories. The retain_after_close workaround
almost entirely bypasses Kerberos/NFS security: once someone has logged
in once, Kerberos permissions associated with their userid remain for a
long time (until their TGT expires) even after logout.
Fortunately I think I've also found a fix:
diff -cr ../lxdm-0.5.3-orig/src/pam.c ./src/pam.c
*** ../lxdm-0.5.3-orig/src/pam.c 2015-07-31 08:21:09.000000000 -0400
--- ./src/pam.c 2017-09-08 18:29:46.000000000 -0400
***************
*** 397,403 ****
--- 397,405 ----
int lxdm_auth_clean_for_child(LXDM_AUTH *a)
{
+ #if NOTDEF /*** teach.cs ***/
pam_end(a->handle,0);
+ #endif /*** teach.cs ***/
return 0;
}
lxdm calls lxdm_auth_clean_for_child between fork() (to make a new
process for the session) and exec of Xsession. Calling pam_end here
somehow calls the close_session code in pam_krb5.so, which destroys the
Kerberos ticket cache.
I don't know enough about PAM to be sure whether it's improper to call
pam_end here, or whether pam_krb5 is too eager to destroy the cache.
Pragmatically, though, removing that pam_end call makes lxdm usable.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/937602
Title:
lxdm clears kerberos ticket cache on login
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxdm/+bug/937602/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
