The problem is that on gdm3 3.22 when we get to
"pam_setcred(PAM_REINITIALIZE_CRED)" we have not set the KRB5CCNAME
environment variable.
The pam-krb5 readme
(https://www.eyrie.org/~eagle/software/pam-krb5/readme.html) says:
The normal sequence of events when refreshing a ticket cache (such as
inside a screensaver) is:
pam_authenticate
pam_setcred(PAM_REINITIALIZE_CRED)
pam_acct_mgmt
(PAM_REFRESH_CRED may be used instead.) Authentication proceeds as
above. At the pam_setcred stage, rather than creating a new ticket
cache, the module instead finds the current ticket cache (from the
KRB5CCNAME environment variable or the default ticket cache location
from the Kerberos library) and then reinitializes it with the
credentials from the temporary pam_authenticate ticket cache. When
refreshing a ticket cache, the application should *not* open a
session. Calling pam_acct_mgmt is optional; pam-krb5 doesn't do
anything different when it's called in this case.
So it won't work if we don't set the KRB5CCNAME environment variable.
But when? Should we special case this one or set all PAM environment
variables?
--
John Hughes, CalvaEDI S.A.S. -- An Esker Company
<john.hug...@calva.com>
+33 1 4313 3131
