Unlocking with greeter fails to properly renew kerberos tickets with pam-krb5
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Light Display Manager |
Fix Released
|
Medium
|
Robert Ancell | ||
1.10 |
Fix Released
|
High
|
Robert Ancell | ||
lightdm (Ubuntu) |
Fix Released
|
High
|
Robert Ancell | ||
Trusty |
Fix Released
|
High
|
Robert Ancell |
Bug Description
[Impact]
Aborted PAM authentications may leave artifacts behind. This is due to LightDM not correctly calling pam_end on these.
Authenticating via a LightDM greeter does not refresh PAM credentials.
[Test Case]
1. Lock screen using LightDM greeter
2. Enter password to return to session
Expected result:
Screen is unlocked, credentials are refreshed.
Observed result:
Screen is unlocked, artifacts are left behind from PAM authentication, credentials not refreshed.
[Regression Potential]
Since this change affects the PAM handling other PAM modules might potentially have a change in behaviour. This seems low risk as both changes are correct behaviour over the previously incorrect behaviour.
I am using the pam-krb5 module to log into a Kerberos realm using lightdm. This works the initial time I log in, when I come in through lightdm. However, once I am logged in, and I lock the screen using light-locker, when I unlock the screen I no longer get renewed tickets.
The problem seems to be this:
-rw------- 1 me me 504 Mar 23 08:37 krb5cc_
-rw------- 1 root root 504 Mar 23 08:38 krb5cc_
So what is happening is that on the initial login, I get a valid ticket cache, owned by my logging-in user, and showing my UID in the file name. This ticket works fine. However, once I lock the screen and then unlock it, I get a ticket cache owned by root, with "_pam_" in the filename, and of course I can't use it because I am not logged in as root.
This problem did not occur in 12.04 LTS, probably because it did not use light-locker. The pam-krb5 module works in all other cases in my installations, so I do not believe this is any kind of problem with the pam_krb5 module.
Thanks,
Brian
ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: light-locker 1.2.1-0ubuntu1
ProcVersionSign
Uname: Linux 3.13.0-18-generic x86_64
ApportVersion: 2.13.3-0ubuntu1
Architecture: amd64
Date: Sun Mar 23 08:40:38 2014
InstallationDate: Installed on 2014-03-22 (0 days ago)
InstallationMedia: Ubuntu-Server 14.04 LTS "Trusty Tahr" - Alpha amd64 (20140320)
ProcEnviron:
TERM=xterm
PATH=(custom, no user)
XDG_RUNTIME_
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: light-locker
UpgradeStatus: No upgrade log present (probably fresh install)
Related branches
- Robert Ancell: Approve
- PS Jenkins bot: Approve (continuous-integration)
-
Diff: 667 lines (+321/-51)9 files modifiedsrc/session-child.c (+23/-0)
src/session.c (+16/-0)
tests/Makefile.am (+5/-3)
tests/scripts/autologin-pam.conf (+16/-3)
tests/scripts/login-pam.conf (+28/-7)
tests/scripts/switch-to-greeter-return-session-pam.conf (+102/-0)
tests/src/libsystem.c (+128/-37)
tests/test-autologin-pam (+1/-1)
tests/test-switch-to-greeter-return-session-pam (+2/-0)
- LightDM Development Team: Pending requested
-
Diff: 667 lines (+321/-51)9 files modifiedsrc/session-child.c (+23/-0)
src/session.c (+16/-0)
tests/Makefile.am (+5/-3)
tests/scripts/autologin-pam.conf (+16/-3)
tests/scripts/login-pam.conf (+28/-7)
tests/scripts/switch-to-greeter-return-session-pam.conf (+102/-0)
tests/src/libsystem.c (+128/-37)
tests/test-autologin-pam (+1/-1)
tests/test-switch-to-greeter-return-session-pam (+2/-0)
Changed in lightdm: | |
importance: | High → Medium |
status: | Triaged → Fix Committed |
Changed in lightdm: | |
status: | Fix Committed → Fix Released |
Changed in lightdm (Ubuntu): | |
status: | Triaged → In Progress |
assignee: | nobody → Robert Ancell (robert-ancell) |
Changed in lightdm: | |
assignee: | nobody → Robert Ancell (robert-ancell) |
Changed in lightdm (Ubuntu Trusty): | |
assignee: | nobody → Robert Ancell (robert-ancell) |
importance: | Undecided → High |
status: | New → In Progress |
Changed in lightdm (Ubuntu): | |
status: | In Progress → Fix Released |
status: | Fix Released → Fix Committed |
status: | Fix Committed → In Progress |
description: | updated |
Changed in lightdm: | |
milestone: | none → 1.11.0 |
tags: |
added: verification-done removed: verification-needed |
Just a comment that I think this should probably have a fairly high priority, as it severely affects the user experience for anyone using Kerberos to authenticate via the libpam-krb5 module against Kerberos or Active Directory, which I expect is a fairly large number of people.
Please let me know what I can do to help, and I will be glad to test things.
Thanks,
Brian