Comment 2 for bug 1336663
Revision history for this message
| Sergio Gelato (sergio-gelato) wrote Re: [Bug 1336663] Re: lightdm uses wrong ccache name on pam_krb5 credentials refresh | #2 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
* Robert Ancell [2014-07-08 04:27:34 -0000]:
> It's not clear if the problem is the way we are using PAM in LightDM
> (i.e. insufficient/wrong information for pam-krb5 to do the right thing)
> or an assumption by pam-krb5 that is not occurring.
pam_krb5 needs to be told the name of the credentials cache for the session
being unlocked; it can't very well guess it by itself. I believe it looks
for the environment variable KRB5CCNAME. This may need to be made a part of
the session state as seen by LightDM. pam_krb5 will set this variable (to an
unpredictable value) on initial login, so perhaps LightDM should stash its
value somewhere at that time; or else it can be retrieved (but is that
portable enough?) from /proc/<pid>/environ for the session's main process.
Either way, it needs to be made visible to pam_krb5 at setcred time on unlock.
libpam-
regular getenv().