Severity: Serious There is an update posted to debian-user. After discussion with people there, I have opened a bug report upstream (bug #400455). It was also mentionned that sarge did not use gnome-screensaver but xscreensaver (contrary to what I wrote), which is right.
I am also going to upgrade the severity of that bug to serious and make
it release-critical. It does break something which used to work for
sarge and is likely to upset a lot of people if released as is. It
basically make the while desktop unusable if you are using pam_krb5
(which inludes AD domains, I guess).
jacques
----- Forwarded message from Jacques Normand <[EMAIL PROTECTED]> -----
Date: Wed, 24 Jan 2007 16:48:49 -0600
From: Jacques Normand <[EMAIL PROTECTED]>
Subject: Can't get gnome-screensaver to work with pam_krb5
To: debian-user@lists.debian.org
Hi everybody,
I have a nasty issue with gnome-screensaver. I cannot have it work
properly with kerberos (mit krb5). The version in sarge worked wiithout
problems but it has been broken for quite some time in testing.
The same configuration reports broken passwords all the time (which is
what I reported on bug #383889. On the other hand, if I disable the
verify_ap_req_nofail option in krb5.conf, then I see the passwords as
accepted, ... but the screen-saver do not quit.
This verify_ap_req_nofail option controls the behavior when the keytab
is not found. The machine I am testing on has a valid keytab so this
option should not change anything. That makes me think of a bad setup of
the environment.
For information:
/etc/pam.d/common-auth
auth sufficient pam_unix.so nullok_secure
auth required pam_krb5.so debug use_first_pass
/etc/krb5.conf (slightly edited):
[libdefaults]
default_realm = XXXX
# The following krb5.conf variables are only for MIT Kerberos.
default_tgs_enctypes = des3-hmac-sha1
default_tkt_enctypes = des3-hmac-sha1
permitted_enctypes = des3-hmac-sha1
kdc_timesync = 1
ccache_type = 4
renew_lifetime=7d
forwardable = true
proxiable = true
[logging]
kdc = SYSLOG:ERR:LOCAL5
admin_server = SYSLOG:ERR:LOCAL5
default = SYSLOG
[realms]
XXXXXXXX = {
kdc = XXXXX
admin_server = XXXXX
}
[domain_realm]
.....
[appdefaults]
forwardable = true
pam = {
minimum_uid=1000
}
And the logs show:
/var/log/debug
...
Jan 24 16:15:08 neelix gnome-screensaver-dialog: (pam_krb5): none:
pam_sm_authenticate: entry (0x0)
Jan 24 16:15:08 neelix gnome-screensaver-dialog: (pam_krb5): jacques:
pam_sm_authenticate: exit (success)
...
If someone has any ideas, I am all for it.
thanks
jacques
----- End forwarded message -----
signature.asc
Description: Digital signature
