I just noticed what appears to be another problem: -rw------- 1 myuser mygroup 504 May 12 21:21 krb5cc_0 -rw------- 1 myuser mygroup 504 May 12 21:16 krb5cc_1000_a8bk3j
While lightdm is renewing the tickets now when unlocking the screen saver, and the ownership of the ticket is correct, the filename still appears to be incorrect. Specifically, the filename appears to be constructed using the user number of the lightdm process, rather than the user number of the user authenticating to the screen saver. The resut is that the ticket is created and stored on disk, accessible to the user but not used unless the user explicitly uses the ticket because the filename does not conform to what is expected. In this instance, for example, both of these tickets were created by my normal user instance. The one ending in "0" is the ticket created when I unlocked the light-locker screen saver. Thanks to all involved for all of the excellent work so far, but it does look like there is still a little more to do here. Thanks, Brian -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1296276 Title: Unlocking with greeter fails to properly renew kerberos tickets with pam-krb5 Status in Light Display Manager: Fix Released Status in Light Display Manager 1.10 series: Fix Released Status in “lightdm” package in Ubuntu: Fix Released Status in “lightdm” source package in Trusty: Fix Released Bug description: [Impact] Aborted PAM authentications may leave artifacts behind. This is due to LightDM not correctly calling pam_end on these. Authenticating via a LightDM greeter does not refresh PAM credentials. [Test Case] 1. Lock screen using LightDM greeter 2. Enter password to return to session Expected result: Screen is unlocked, credentials are refreshed. Observed result: Screen is unlocked, artifacts are left behind from PAM authentication, credentials not refreshed. [Regression Potential] Since this change affects the PAM handling other PAM modules might potentially have a change in behaviour. This seems low risk as both changes are correct behaviour over the previously incorrect behaviour. I am using the pam-krb5 module to log into a Kerberos realm using lightdm. This works the initial time I log in, when I come in through lightdm. However, once I am logged in, and I lock the screen using light-locker, when I unlock the screen I no longer get renewed tickets. The problem seems to be this: -rw------- 1 me me 504 Mar 23 08:37 krb5cc_1000_sjkfhagfg -rw------- 1 root root 504 Mar 23 08:38 krb5cc_pam_lsdkjhfsdk So what is happening is that on the initial login, I get a valid ticket cache, owned by my logging-in user, and showing my UID in the file name. This ticket works fine. However, once I lock the screen and then unlock it, I get a ticket cache owned by root, with "_pam_" in the filename, and of course I can't use it because I am not logged in as root. This problem did not occur in 12.04 LTS, probably because it did not use light-locker. The pam-krb5 module works in all other cases in my installations, so I do not believe this is any kind of problem with the pam_krb5 module. Thanks, Brian ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: light-locker 1.2.1-0ubuntu1 ProcVersionSignature: Ubuntu 3.13.0-18.38-generic 3.13.6 Uname: Linux 3.13.0-18-generic x86_64 ApportVersion: 2.13.3-0ubuntu1 Architecture: amd64 Date: Sun Mar 23 08:40:38 2014 InstallationDate: Installed on 2014-03-22 (0 days ago) InstallationMedia: Ubuntu-Server 14.04 LTS "Trusty Tahr" - Alpha amd64 (20140320) ProcEnviron: TERM=xterm PATH=(custom, no user) XDG_RUNTIME_DIR=<set> LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: light-locker UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/lightdm/+bug/1296276/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp