# Look for matching - although misnamed - credential cache
# ... retrieve user UID
KRB5CC_UID="$(id -u "${PAM_USER}")"
[ -z "${KRB5CC_UID}" ] && echo 'ERROR: Failed to retrieve user UID' && exit 1
# ... look for user matching/misnamed ticket
KRB5CC_SRC="$(find "${KRB5CC_DIR}" -maxdepth 1 -uid "${KRB5CC_UID}" -name 'krb5cc_0')"
[ -z "${KRB5CC_SRC}" ] && echo 'INFO: No matching/misnamed Kerberos 5 ticket found' && exit 0
# ... look for *older* user ticket (do not replace a newer one)
KRB5CC_DST="$(find "${KRB5CC_DIR}" -maxdepth 1 -uid "${KRB5CC_UID}" -name "krb5cc_${KRB5CC_UID}_*" -not -newer "${KRB5CC_SRC}" | head -n 1)"
[ -z "${KRB5CC_DST}" ] && echo 'INFO: No previous/user Kerberos 5 ticket found' && exit 0
# ... check Kerberos principal matches (just to be on the safe side; let's not rely only on files ownership)
[ "$(klist "${KRB5CC_SRC}" | grep '^Default principal:')" != "$(klist "${KRB5CC_DST}" | grep '^Default principal:')" ] && echo 'ERROR: Mismatched principal' && exit 1
# Replace user credential cache by matching/misnamed one
mv "${KRB5CC_SRC}" "${KRB5CC_DST}"
[ $? -ne 0 ] && echo 'ERROR: Failed to rename matching/misnamed Kerberos 5 ticket' && exit 1
echo 'INFO: Successfully renamed matching/misnamed Kerberos 5 ticket'
exit 0
The 'sh -c "sleep 3; ..."' is required to handle the fact that the misnamed ticket is created only after pam_script is invoked (I guess when pam_end is called).
Hello again,
Thanks @Sergio for the krenew tip.
I'd rather not automatically renew a user ticket without having him supply its password from time to time.
I came up with a *horrible* workaround which I believe does not break the entire Kerberos security (please correct me if I'm wrong):
In /etc/pam. d/common- auth: security/ pam-script. d
auth optional pam_script.so dir=/etc/
In /etc/security/ pam-script. d/pam_script_ auth:
#!/bin/sh
## Kerberos 5 credential cache (ticket) hack /bugs.launchpad .net/ubuntu/ +source/ lightdm/ +bug/1336663 ${PAM_USER} /etc/security/ pam-script. d/krb5cc_ rename" &
# REF: https:/
sh -c "sleep 3; PAM_USER=
In /etc/security/ pam-script. d/krb5cc_ rename:
#!/bin/sh
## Kerberos 5 credential cache (ticket) hack /bugs.launchpad .net/ubuntu/ +source/ lightdm/ +bug/1336663
# REF: https:/
# Parameters
KRB5CC_DIR='/tmp'
# Look for matching - although misnamed - credential cache ${KRB5CC_ UID}_*" -not -newer "${KRB5CC_SRC}" | head -n 1)"
# ... retrieve user UID
KRB5CC_UID="$(id -u "${PAM_USER}")"
[ -z "${KRB5CC_UID}" ] && echo 'ERROR: Failed to retrieve user UID' && exit 1
# ... look for user matching/misnamed ticket
KRB5CC_SRC="$(find "${KRB5CC_DIR}" -maxdepth 1 -uid "${KRB5CC_UID}" -name 'krb5cc_0')"
[ -z "${KRB5CC_SRC}" ] && echo 'INFO: No matching/misnamed Kerberos 5 ticket found' && exit 0
# ... look for *older* user ticket (do not replace a newer one)
KRB5CC_DST="$(find "${KRB5CC_DIR}" -maxdepth 1 -uid "${KRB5CC_UID}" -name "krb5cc_
[ -z "${KRB5CC_DST}" ] && echo 'INFO: No previous/user Kerberos 5 ticket found' && exit 0
# ... check Kerberos principal matches (just to be on the safe side; let's not rely only on files ownership)
[ "$(klist "${KRB5CC_SRC}" | grep '^Default principal:')" != "$(klist "${KRB5CC_DST}" | grep '^Default principal:')" ] && echo 'ERROR: Mismatched principal' && exit 1
# Replace user credential cache by matching/misnamed one
mv "${KRB5CC_SRC}" "${KRB5CC_DST}"
[ $? -ne 0 ] && echo 'ERROR: Failed to rename matching/misnamed Kerberos 5 ticket' && exit 1
echo 'INFO: Successfully renamed matching/misnamed Kerberos 5 ticket'
exit 0
The 'sh -c "sleep 3; ..."' is required to handle the fact that the misnamed ticket is created only after pam_script is invoked (I guess when pam_end is called).
Gut-wrenching... but working :-/