This problem affects us, and is quite severe: Kerberized NFS cannot work reliably and securely with lxdm unless it is fixed. Because the Kerberos cache is discarded, users cannot reliably get access to Kerberos-protected home directories. The retain_after_close workaround almost entirely bypasses Kerberos/NFS security: once someone has logged in once, Kerberos permissions associated with their userid remain for a long time (until their TGT expires) even after logout.
Fortunately I think I've also found a fix: diff -cr ../lxdm-0.5.3-orig/src/pam.c ./src/pam.c *** ../lxdm-0.5.3-orig/src/pam.c 2015-07-31 08:21:09.000000000 -0400 --- ./src/pam.c 2017-09-08 18:29:46.000000000 -0400 *************** *** 397,403 **** --- 397,405 ---- int lxdm_auth_clean_for_child(LXDM_AUTH *a) { + #if NOTDEF /*** teach.cs ***/ pam_end(a->handle,0); + #endif /*** teach.cs ***/ return 0; } lxdm calls lxdm_auth_clean_for_child between fork() (to make a new process for the session) and exec of Xsession. Calling pam_end here somehow calls the close_session code in pam_krb5.so, which destroys the Kerberos ticket cache. I don't know enough about PAM to be sure whether it's improper to call pam_end here, or whether pam_krb5 is too eager to destroy the cache. Pragmatically, though, removing that pam_end call makes lxdm usable. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/937602 Title: lxdm clears kerberos ticket cache on login To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxdm/+bug/937602/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs