Brian Knoll <1296...@bugs.launchpad.net> writes: > I just noticed what appears to be another problem:
> -rw------- 1 myuser mygroup 504 May 12 21:21 krb5cc_0 > -rw------- 1 myuser mygroup 504 May 12 21:16 krb5cc_1000_a8bk3j > While lightdm is renewing the tickets now when unlocking the screen > saver, and the ownership of the ticket is correct, the filename still > appears to be incorrect. Specifically, the filename appears to be > constructed using the user number of the lightdm process, rather than > the user number of the user authenticating to the screen saver. This is the library default ticket cache path for root, which is used if no KRB5CCNAME environment variable is set while renewing ticket caches in a root-owned process, and neither ccache nor ccache_dir are set in the PAM configuration. (For creating a new session, the second file name is used, but when refreshing, one wants to use the same ticket cache that other user processes will use, which is the default ticket cache path when KRB5CCNAME is set. So pam-krb5 is trying to match the behavior of other userspace processes, but since it's running as another user, it doesn't have enough information to know the correct default ticket cache name.) What I assume should happen is that lightdm should somehow inherit the KRB5CCNAME environment variable set for the user session. However, I don't know enough about the architecture to know how that should be properly done. (It's possible that it already does this but there's a setuid program in the loop, in which case the environment variables are ignored. That would require a more complex fix. Let me know if that's the case.) -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1296276 Title: Unlocking with greeter fails to properly renew kerberos tickets with pam-krb5 To manage notifications about this bug go to: https://bugs.launchpad.net/lightdm/+bug/1296276/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
