Hello again, Thanks @Sergio for the krenew tip.
I'd rather not automatically renew a user ticket without having him supply its password from time to time. I came up with a *horrible* workaround which I believe does not break the entire Kerberos security (please correct me if I'm wrong): In /etc/pam.d/common-auth: auth optional pam_script.so dir=/etc/security/pam-script.d In /etc/security/pam-script.d/pam_script_auth: #!/bin/sh ## Kerberos 5 credential cache (ticket) hack # REF: https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1336663 sh -c "sleep 3; PAM_USER=${PAM_USER} /etc/security/pam-script.d/krb5cc_rename" & In /etc/security/pam-script.d/krb5cc_rename: #!/bin/sh ## Kerberos 5 credential cache (ticket) hack # REF: https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1336663 # Parameters KRB5CC_DIR='/tmp' # Look for matching - although misnamed - credential cache # ... retrieve user UID KRB5CC_UID="$(id -u "${PAM_USER}")" [ -z "${KRB5CC_UID}" ] && echo 'ERROR: Failed to retrieve user UID' && exit 1 # ... look for user matching/misnamed ticket KRB5CC_SRC="$(find "${KRB5CC_DIR}" -maxdepth 1 -uid "${KRB5CC_UID}" -name 'krb5cc_0')" [ -z "${KRB5CC_SRC}" ] && echo 'INFO: No matching/misnamed Kerberos 5 ticket found' && exit 0 # ... look for *older* user ticket (do not replace a newer one) KRB5CC_DST="$(find "${KRB5CC_DIR}" -maxdepth 1 -uid "${KRB5CC_UID}" -name "krb5cc_${KRB5CC_UID}_*" -not -newer "${KRB5CC_SRC}" | head -n 1)" [ -z "${KRB5CC_DST}" ] && echo 'INFO: No previous/user Kerberos 5 ticket found' && exit 0 # ... check Kerberos principal matches (just to be on the safe side; let's not rely only on files ownership) [ "$(klist "${KRB5CC_SRC}" | grep '^Default principal:')" != "$(klist "${KRB5CC_DST}" | grep '^Default principal:')" ] && echo 'ERROR: Mismatched principal' && exit 1 # Replace user credential cache by matching/misnamed one mv "${KRB5CC_SRC}" "${KRB5CC_DST}" [ $? -ne 0 ] && echo 'ERROR: Failed to rename matching/misnamed Kerberos 5 ticket' && exit 1 echo 'INFO: Successfully renamed matching/misnamed Kerberos 5 ticket' exit 0 The 'sh -c "sleep 3; ..."' is required to handle the fact that the misnamed ticket is created only after pam_script is invoked (I guess when pam_end is called). Gut-wrenching... but working :-/ -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1336663 Title: lightdm uses wrong ccache name on pam_krb5 credentials refresh Status in Light Display Manager: Triaged Status in libpam-krb5 package in Ubuntu: Confirmed Status in lightdm package in Ubuntu: Triaged Bug description: As already noted by Brian Knoll in https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1296276/comments/24 lightdm 1.10.1-0ubuntu1 uses an inappropriate credentials cache, /tmp/krb5cc_0, when refreshing Kerberos credentials on screen unlock. I couldn't find the new bug Robert Ancell called for in https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1296276/comments/27 so I'm opening one now. To manage notifications about this bug go to: https://bugs.launchpad.net/lightdm/+bug/1336663/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
