Launchpad Bug Tracker <1296...@bugs.launchpad.net> writes: > So what is happening is that on the initial login, I get a valid ticket > cache, owned by my logging-in user, and showing my UID in the file name. > This ticket works fine. However, once I lock the screen and then unlock > it, I get a ticket cache owned by root, with "_pam_" in the filename, > and of course I can't use it because I am not logged in as root.
The _pam_ ticket cache is created during the authenticate step of the PAM interaction, and is then written to the user's actual ticket cache during either setcred or open_session. (setcred is the appropriate thing for a screen saver to call.) It's deleted on pam_end. This sounds like a screen saver that isn't using PAM properly. It looks like it's starting a PAM interaction and then only calling authenticate, never calling setcred, and never ending the PAM interaction, so it leaks a root-owned ticket cache and never renews your cache. There used to be widespread problems of this sort due to the number of people writing screen savers who didn't really understand how PAM worked, but I thought most of them had been fixed. You can confirm that it's a problem with this program rather than with your system configuration by running xscreensaver, locking the screen, unlocking with your Kerberos password, and seeing if that properly refreshes your credentials. I know that xscreensaver does PAM properly. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1296276 Title: light-locker fails to properly renew kerberos tickets with pam-krb5 Status in “light-locker” package in Ubuntu: New Status in “lightdm” package in Ubuntu: New Bug description: I am using the pam-krb5 module to log into a Kerberos realm using lightdm. This works the initial time I log in, when I come in through lightdm. However, once I am logged in, and I lock the screen using light-locker, when I unlock the screen I no longer get renewed tickets. The problem seems to be this: -rw------- 1 me me 504 Mar 23 08:37 krb5cc_1000_sjkfhagfg -rw------- 1 root root 504 Mar 23 08:38 krb5cc_pam_lsdkjhfsdk So what is happening is that on the initial login, I get a valid ticket cache, owned by my logging-in user, and showing my UID in the file name. This ticket works fine. However, once I lock the screen and then unlock it, I get a ticket cache owned by root, with "_pam_" in the filename, and of course I can't use it because I am not logged in as root. This problem did not occur in 12.04 LTS, probably because it did not use light-locker. The pam-krb5 module works in all other cases in my installations, so I do not believe this is any kind of problem with the pam_krb5 module. Thanks, Brian ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: light-locker 1.2.1-0ubuntu1 ProcVersionSignature: Ubuntu 3.13.0-18.38-generic 3.13.6 Uname: Linux 3.13.0-18-generic x86_64 ApportVersion: 2.13.3-0ubuntu1 Architecture: amd64 Date: Sun Mar 23 08:40:38 2014 InstallationDate: Installed on 2014-03-22 (0 days ago) InstallationMedia: Ubuntu-Server 14.04 LTS "Trusty Tahr" - Alpha amd64 (20140320) ProcEnviron: TERM=xterm PATH=(custom, no user) XDG_RUNTIME_DIR=<set> LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: light-locker UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/light-locker/+bug/1296276/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
