FWIW, this issue is also present using gdm3 in Ubuntu 16.04. With
pam_krb5's debug option set, I see the following during initial login
(with successful credential cache construction):
gdm-password]: pam_krb5(gdm-password:auth): pam_sm_authenticate: entry
gdm-password]: pam_krb5(gdm-password:auth): (user cgallek) attempting
authentication as cgal...@xxxx.com
gdm-password]: pam_krb5(gdm-password:auth): user cgallek authenticated as
cgal...@xxxx.com
gdm-password]: pam_krb5(gdm-password:auth): (user cgallek) temporarily storing
credentials in /tmp/krb5cc_pam_LB8CeL
gdm-password]: pam_krb5(gdm-password:auth): pam_sm_authenticate: exit (success)
gdm-password]: pam_krb5(gdm-password:setcred): pam_sm_setcred: entry (establish)
gdm-password]: pam_krb5(gdm-password:setcred): (user cgallek) initializing
ticket cache FILE:/tmp/krb5cc_1000_3BiTY0
gdm-password]: pam_krb5(gdm-password:setcred): pam_sm_setcred: exit (success)
When unlocking the screen, I see the following successful credential refresh,
but to the wrong cache filename (/tmp/krb5cc_0):
gdm-password]: pam_krb5(gdm-password:auth): pam_sm_authenticate: entry
gdm-password]: pam_krb5(gdm-password:auth): (user cgallek) attempting
authentication as cgal...@angrydoughnuts.com
gdm-password]: pam_krb5(gdm-password:auth): user cgallek authenticated as
cgal...@xxxx.com
gdm-password]: pam_krb5(gdm-password:auth): (user cgallek) temporarily storing
credentials in /tmp/krb5cc_pam_Dkg5Ip
gdm-password]: pam_krb5(gdm-password:auth): pam_sm_authenticate: exit (success)
gdm-password]: pam_krb5(gdm-password:setcred): pam_sm_setcred: entry (reinit)
gdm-password]: pam_krb5(gdm-password:setcred): (user cgallek) refreshing ticket
cache /tmp/krb5cc_0
gdm-password]: pam_krb5(gdm-password:setcred): pam_sm_setcred: exit (success)
The _0 cache that is created has the correct new credential in it, but
is obviously not known by any other process as it does not match the
earlier version of $KRB5CCNAME. I imagine this is the same issue
described above where the $KRB5CCNAME environment variable is not
available in the gdm context which unlocks the screen.
It's worth noting that in the GDM case, there appears to be a per-
session helper process (gdm-session-worker) used to communicate with the
GDM service. This process _does not_ have the $KRB5CCNAME variable set
in its environment. Would storing the value in this processes
environment fix the problem?
~: ps -ef | grep gdm-session-worker
root 11364 11203 0 Jun25 ? 00:00:00 gdm-session-worker
[pam/gdm-password]
~: cat /proc/11364/environ
LANG=en_US.UTF-8PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/binGDM_SESSION_DBUS_ADDRESS=unix:abstract=/tmp/dbus-oTnmcExV
** Also affects: gdm
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1336663
Title:
lightdm uses wrong ccache name on pam_krb5 credentials refresh
To manage notifications about this bug go to:
https://bugs.launchpad.net/gdm/+bug/1336663/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
