FWIW, this issue is also present using gdm3 in Ubuntu 16.04. With pam_krb5's debug option set, I see the following during initial login (with successful credential cache construction):
gdm-password]: pam_krb5(gdm-password:auth): pam_sm_authenticate: entry gdm-password]: pam_krb5(gdm-password:auth): (user cgallek) attempting authentication as cgal...@xxxx.com gdm-password]: pam_krb5(gdm-password:auth): user cgallek authenticated as cgal...@xxxx.com gdm-password]: pam_krb5(gdm-password:auth): (user cgallek) temporarily storing credentials in /tmp/krb5cc_pam_LB8CeL gdm-password]: pam_krb5(gdm-password:auth): pam_sm_authenticate: exit (success) gdm-password]: pam_krb5(gdm-password:setcred): pam_sm_setcred: entry (establish) gdm-password]: pam_krb5(gdm-password:setcred): (user cgallek) initializing ticket cache FILE:/tmp/krb5cc_1000_3BiTY0 gdm-password]: pam_krb5(gdm-password:setcred): pam_sm_setcred: exit (success) When unlocking the screen, I see the following successful credential refresh, but to the wrong cache filename (/tmp/krb5cc_0): gdm-password]: pam_krb5(gdm-password:auth): pam_sm_authenticate: entry gdm-password]: pam_krb5(gdm-password:auth): (user cgallek) attempting authentication as cgal...@angrydoughnuts.com gdm-password]: pam_krb5(gdm-password:auth): user cgallek authenticated as cgal...@xxxx.com gdm-password]: pam_krb5(gdm-password:auth): (user cgallek) temporarily storing credentials in /tmp/krb5cc_pam_Dkg5Ip gdm-password]: pam_krb5(gdm-password:auth): pam_sm_authenticate: exit (success) gdm-password]: pam_krb5(gdm-password:setcred): pam_sm_setcred: entry (reinit) gdm-password]: pam_krb5(gdm-password:setcred): (user cgallek) refreshing ticket cache /tmp/krb5cc_0 gdm-password]: pam_krb5(gdm-password:setcred): pam_sm_setcred: exit (success) The _0 cache that is created has the correct new credential in it, but is obviously not known by any other process as it does not match the earlier version of $KRB5CCNAME. I imagine this is the same issue described above where the $KRB5CCNAME environment variable is not available in the gdm context which unlocks the screen. It's worth noting that in the GDM case, there appears to be a per- session helper process (gdm-session-worker) used to communicate with the GDM service. This process _does not_ have the $KRB5CCNAME variable set in its environment. Would storing the value in this processes environment fix the problem? ~: ps -ef | grep gdm-session-worker root 11364 11203 0 Jun25 ? 00:00:00 gdm-session-worker [pam/gdm-password] ~: cat /proc/11364/environ LANG=en_US.UTF-8PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/binGDM_SESSION_DBUS_ADDRESS=unix:abstract=/tmp/dbus-oTnmcExV ** Also affects: gdm Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1336663 Title: lightdm uses wrong ccache name on pam_krb5 credentials refresh To manage notifications about this bug go to: https://bugs.launchpad.net/gdm/+bug/1336663/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs