[Desktop-packages] [Bug 1336663] Re: lightdm uses wrong ccache name on pam_krb5 credentials refresh

Yes, if KRB5CCNAME were set in the environment of the screen saver, it would fix this problem. To be clear, this isn't a bug in libpam-krb5, but in the means by which the screen saver is launched without the user's environment set properly (which should be created via the pam_setcred and pam_open_

[Desktop-packages] [Bug 1336663] Re: lightdm uses wrong ccache name on pam_krb5 credentials refresh

Note that all that pam-krb5 specifically cares about is KRB5CCNAME, so an alternative approach that may require less refactoring and would work for that PAM module would be to preserve the PAM environment from pam_getenvlist and set those variables in the environment before invoking PAM for unlock.

Re: [Desktop-packages] [Bug 1296276] Re: Unlocking with greeter fails to properly renew kerberos tickets with pam-krb5

ly done. (It's possible that it already does this but there's a setuid program in the loop, in which case the environment variables are ignored. That would require a more complex fix. Let me know if that's the case.) -- Russ Allbery (r...@debian.org) <http://www.eyr

Re: [Desktop-packages] [Bug 1296276] Re: Unlocking with greeter fails to properly renew kerberos tickets with pam-krb5

be set for it to find the user's ticket cache, but hopefully it will just work. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to

Re: [Desktop-packages] [Bug 1296276] Re: Unlocking with greeter fails to properly renew kerberos tickets with pam-krb5

the file after calling pam_setcred). Oh! I'm sorry. I looked at the head commit to the branch, and didn't realize that it diverged more than that. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> -- You received this bug notification because you are

Re: [Desktop-packages] [Bug 1296276] [NEW] light-locker fails to properly renew kerberos tickets with pam-krb5

then look in syslog after unlocking the screen. That should provide much more detail about exactly what the Kerberos PAM module is trying to do. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> -- You received this bug notification because you are a member of

Re: [Desktop-packages] [Bug 1296276] Re: light-locker fails to properly renew kerberos tickets with pam-krb5

Robert Ancell writes: > Could you please try lp:~robert-ancell/lightdm/setcred-on-unlock and see > if this fixes it? It will surprise me if this change fixes the issue. pam-krb5 treats PAM_REFRESH_CRED and PAM_REINITIALIZE_CRED identically. -- Russ Allbery (r...@debi

Re: [Desktop-packages] [Bug 1296276] [NEW] light-locker fails to properly renew kerberos tickets with pam-krb5

of them had been fixed. You can confirm that it's a problem with this program rather than with your system configuration by running xscreensaver, locking the screen, unlocking with your Kerberos password, and seeing if that properly refreshes your credentials. I know that xscreensaver does PAM