* Robert Ancell [2014-07-08 04:27:34 -0000]: > It's not clear if the problem is the way we are using PAM in LightDM > (i.e. insufficient/wrong information for pam-krb5 to do the right thing) > or an assumption by pam-krb5 that is not occurring.
pam_krb5 needs to be told the name of the credentials cache for the session being unlocked; it can't very well guess it by itself. I believe it looks for the environment variable KRB5CCNAME. This may need to be made a part of the session state as seen by LightDM. pam_krb5 will set this variable (to an unpredictable value) on initial login, so perhaps LightDM should stash its value somewhere at that time; or else it can be retrieved (but is that portable enough?) from /proc/<pid>/environ for the session's main process. Either way, it needs to be made visible to pam_krb5 at setcred time on unlock. libpam-krb5/cache.c:pamk5_get_krb5ccname() tries pam_getenv() first, then regular getenv(). -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1336663 Title: lightdm uses wrong ccache name on pam_krb5 credentials refresh Status in Light Display Manager: Triaged Status in “libpam-krb5” package in Ubuntu: New Status in “lightdm” package in Ubuntu: Triaged Bug description: As already noted by Brian Knoll in https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1296276/comments/24 lightdm 1.10.1-0ubuntu1 uses an inappropriate credentials cache, /tmp/krb5cc_0, when refreshing Kerberos credentials on screen unlock. I couldn't find the new bug Robert Ancell called for in https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1296276/comments/27 so I'm opening one now. To manage notifications about this bug go to: https://bugs.launchpad.net/lightdm/+bug/1336663/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp