J. Pfennig kirjoitti 31.5.2023 klo 21.34:
Package: libpam-sss
Version: 2.8.2-4
Severity: normal
File: /lib/x86_64-linux-gnu/security/pam_sss.so
Dear Maintainer,
* What led up to the situation?
using kerberos, AD/DC, sssd and its pam module
* What exactly did you do (or not do) that was effective (or
ineffective)?
kinit ... # to get a kerberos ticket
echo $KRB5CCNAME # path to creditial cache
sudo -i user2
echo $KRB5CCNAME # ORIGINAL path to creditial cache
* What was the outcome of this action?
kinit, klist et al fail, wrong credential cache
echo $KRB5CCNAME # path from original user
* What outcome did you expect instead?
KRB5CCNAME must not be passed
the case is described better than I can do at:
https://bugzilla.redhat.com/show_bug.cgi?id=1324486
Bug fixed there in 2017. Could Debian fix it too?
The default value for pam_response_filter should already be
'ENV:KRB5CCNAME:sudo, ENV:KRB5CCNAME:sudo-i', so this issue should not
happen since 2.5.1.
--
t
