This bug was fixed in the package lightdm - 1.10.1-0ubuntu1 --------------- lightdm (1.10.1-0ubuntu1) trusty; urgency=medium
* New upstream release: - When switching to an existing session refresh PAM credentials and end session cleanly so no resources leak. (LP: #1296276) - Update apparmor rules to allow oxide based browsers and Google Chrome to run in the guest session. * debian/patches/06_apparmor_chromium_updates.patch: - Applied upstream -- Robert Ancell <robert.anc...@canonical.com> Mon, 28 Apr 2014 09:56:14 +1200 ** Changed in: lightdm (Ubuntu Trusty) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1296276 Title: Unlocking with greeter fails to properly renew kerberos tickets with pam-krb5 Status in Light Display Manager: Fix Released Status in Light Display Manager 1.10 series: Fix Released Status in “lightdm” package in Ubuntu: Fix Released Status in “lightdm” source package in Trusty: Fix Released Bug description: [Impact] Aborted PAM authentications may leave artifacts behind. This is due to LightDM not correctly calling pam_end on these. Authenticating via a LightDM greeter does not refresh PAM credentials. [Test Case] 1. Lock screen using LightDM greeter 2. Enter password to return to session Expected result: Screen is unlocked, credentials are refreshed. Observed result: Screen is unlocked, artifacts are left behind from PAM authentication, credentials not refreshed. [Regression Potential] Since this change affects the PAM handling other PAM modules might potentially have a change in behaviour. This seems low risk as both changes are correct behaviour over the previously incorrect behaviour. I am using the pam-krb5 module to log into a Kerberos realm using lightdm. This works the initial time I log in, when I come in through lightdm. However, once I am logged in, and I lock the screen using light-locker, when I unlock the screen I no longer get renewed tickets. The problem seems to be this: -rw------- 1 me me 504 Mar 23 08:37 krb5cc_1000_sjkfhagfg -rw------- 1 root root 504 Mar 23 08:38 krb5cc_pam_lsdkjhfsdk So what is happening is that on the initial login, I get a valid ticket cache, owned by my logging-in user, and showing my UID in the file name. This ticket works fine. However, once I lock the screen and then unlock it, I get a ticket cache owned by root, with "_pam_" in the filename, and of course I can't use it because I am not logged in as root. This problem did not occur in 12.04 LTS, probably because it did not use light-locker. The pam-krb5 module works in all other cases in my installations, so I do not believe this is any kind of problem with the pam_krb5 module. Thanks, Brian ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: light-locker 1.2.1-0ubuntu1 ProcVersionSignature: Ubuntu 3.13.0-18.38-generic 3.13.6 Uname: Linux 3.13.0-18-generic x86_64 ApportVersion: 2.13.3-0ubuntu1 Architecture: amd64 Date: Sun Mar 23 08:40:38 2014 InstallationDate: Installed on 2014-03-22 (0 days ago) InstallationMedia: Ubuntu-Server 14.04 LTS "Trusty Tahr" - Alpha amd64 (20140320) ProcEnviron: TERM=xterm PATH=(custom, no user) XDG_RUNTIME_DIR=<set> LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: light-locker UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/lightdm/+bug/1296276/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp