Alex Mauer <[email protected]> writes: > Nope, su'ing to the current user. 'su - $USER', using the environment > variable. It does the same if I put the literal username, obviously.
> File modes are 0600 Ah, hm. I seem to vaguely remember running into this before, where su calls part of the PAM stack as root and other parts as the target user, which causes issues like incorrect file ownership. I don't recall when I saw this, though, or what the solution was. That doesn't explain the segfault, although I suspect the LDAP NSS module for that given the log messages that you're seeing and given how sensitive it is to shared library conflicts and similar issues. Hm. If the NSS lookup of the target user fails, then pam_setcred will fail to chown the ticket cache to the target user, and you'll get that incorrect ownership error. But I actually don't recall seeing a setcred call in your trace. I wonder if su is auth'ing as root, and then changing users to the target user and calling the account hook. But if so, I'm not entirely sure how that could ever work, since the account hook assumes the ticket cache credentials are already correct, and that doesn't match the behavior I'm seeing elsewhere. For whatever it's worth, this appears to be either specific to the LDAP NSS module or to Ubuntu; su - $USER works fine with pam-krb5 in Debian on a system that doesn't use any special NSS modules. -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> -- segfault https://bugs.launchpad.net/bugs/476069 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in ubuntu. -- Ubuntu-server-bugs mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
