Yes, if KRB5CCNAME were set in the environment of the screen saver, it
would fix this problem.
To be clear, this isn't a bug in libpam-krb5, but in the means by which
the screen saver is launched without the user's environment set properly
(which should be created via the pam_setcred and pam_open_session steps
of the PAM call sequence, and the new user environment generated by
PAM). Without KRB5CCNAME, there's no way for the PAM module to find the
user's ticket cache to renew it on subsequent unlocks; somehow, it does
need that information conveyed to it.
You can work around this by using a predictable ticket cache name that
embeds only the user's UID and setting that as the default ticket cache
(in various ways -- PAM configuration, Kerberos configuration, etc.).
But this isn't a general solution that can be adapted by the package
because it means every user session for the same user uses the same
Kerberos ticket cache, which means that, say, logging on to the system
via ssh and then logging out will delete the ticket cache underneath the
local console login.
** Changed in: libpam-krb5 (Ubuntu)
Status: Confirmed => Invalid
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1336663
Title:
lightdm uses wrong ccache name on pam_krb5 credentials refresh
To manage notifications about this bug go to:
https://bugs.launchpad.net/gdm/+bug/1336663/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
