Hi Wouter, I guess that what you are looking for is in bug #476248. You can copy the content of /etc/pam.d/slim as written in the latter bug and tell me if it works. I will in fact include that pam file within the next package, tho I don't have upload rights which slows me down by doing so.
Cheers Mike 2009/5/12 Wouter Verhelst <wou...@debian.org>: > Package: slim > Version: 1.3.0-2 > Severity: normal > > Hi, > > I have my system set up so that it will authenticate to a Kerberos realm > using PAM. > > This used to work with gdm; however, because gdm sucks, I recently > switched to slim. > > Unfortunately, this does not seem to work 100%. > > A bit of background in case you are not familiar with the way the > Kerberos PAM module works: when authenticating to a Kerberos KDC, you > get a 'ticket granting ticket', which needs to be stored in a local > credentials cache so that the user can later on use it to authenticate > to other services. The default filename of this credentials cache is > '/tmp/krb5cc_<uid>', e.g., '/tmp/krb5cc_1000' if your uid is 1000. > However, it is possible to change the name of this ticket cache by > specifying its name in the environment variable 'KRB5CCNAME'. In order > to avoid an attack through a race condition, the PAM module will set > this variable to a filename based on the default, but with '_' appended, > followed by six random characters; e.g., something like > '/tmp/krb5cc_1000_iBlsqd'. However, it will _only_ do this if the > authentication was successful; if the user did not successfully log on > through the Kerberos PAM module, then the session component of the PAM > module will not set the environment variable. > > The expectation is thus that either there is no ticket cache, in which > case calling 'klist' with no arguments (which will show the contents of > the credentials cache) will say there is an empty credentials cache > called '/tmp/krb5cc_<uid>'; or it will show at least a ticket-granting > ticket in a credentials cache called '/tmp/krb5cc_<uid>_<random>'. This > was the case in gdm, and is still the case when logging on through > /bin/login. However, it is not true with slim; when logging on through > slim, the environment variable is set, but the credentials cache is > empty or does not exist. > > I'm not 100% sure why this is the case, but it should not happen -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
