Thank you, Russ, for the insightful explanation of what is happening here. I can definitely confirm that xscreensaver does indeed work on my system, as that is what I am using as a workaround to this issue. It isn't as "polished" as using the lightdm screen saver would be, but it certainly works better as far as the PAM integration is concerned. So a couple of things come to mind given all that we know so far:
1. The workaround is to use xscreensaver instead, although that is not something all users will be able to handle, especially given the lack of polish and the fact that some additional configuration in the X environment is required to get that to work. But it does indeed work, as I'm using it over here.
2. Probably more importantly, the PAM handling in light-locker appears to be very broken. This will probably affect other modules besides pam-krb5, and is a significant issue.
On Sunday, March 23, 2014 1:40 PM, Russ Allbery <email address hidden> wrote:
> So what is happening is that on the initial login, I get a valid ticket
> cache, owned by my logging-in user, and showing my UID in the file name.
> This ticket works fine. However, once I lock the screen and then unlock
> it, I get a ticket cache owned by root, with "_pam_" in the filename,
> and of course I can't use it because I am not logged in as root.
The _pam_ ticket cache is created during the authenticate step of the PAM
interaction, and is then written to the user's actual ticket cache during
either setcred or open_session. (setcred is the appropriate thing for a
screen saver to call.) It's deleted on pam_end.
This sounds like a screen saver that isn't using PAM properly. It looks
like it's starting a PAM interaction and then only calling authenticate,
never calling setcred, and never ending the PAM interaction, so it leaks a
root-owned ticket cache and never renews your cache.
There used to be widespread problems of this sort due to the number of
people writing screen savers who didn't really understand how PAM worked,
but I thought most of them had been fixed.
You can confirm that it's a problem with this program rather than with
your system configuration by running xscreensaver, locking the screen,
unlocking with your Kerberos password, and seeing if that properly
refreshes your credentials. I know that xscreensaver does PAM properly.
Title:
light-locker fails to properly renew kerberos tickets with pam-krb5
Status in “light-locker” package in Ubuntu:
New
Status in “lightdm” package in Ubuntu:
New
Bug description:
I am using the pam-krb5 module to log into a Kerberos realm using
lightdm. This works the initial time I log in, when I come in through
lightdm. However, once I am logged in, and I lock the screen using
light-locker, when I unlock the screen I no longer get renewed
tickets.
The problem seems to be this:
-rw------- 1 me me 504 Mar 23 08:37 krb5cc_1000_sjkfhagfg
-rw------- 1 root root 504 Mar 23 08:38 krb5cc_pam_lsdkjhfsdk
So what is happening is that on the initial login, I get a valid
ticket cache, owned by my logging-in user, and showing my UID in the
file name. This ticket works fine. However, once I lock the screen
and then unlock it, I get a ticket cache owned by root, with "_pam_"
in the filename, and of course I can't use it because I am not logged
in as root.
This problem did not occur in 12.04 LTS, probably because it did not
use light-locker. The pam-krb5 module works in all other cases in my
installations, so I do not believe this is any kind of problem with
the pam_krb5 module.
Thanks,
Brian
ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: light-locker 1.2.1-0ubuntu1
ProcVersionSignature: Ubuntu 3.13.0-18.38-generic 3.13.6
Uname: Linux 3.13.0-18-generic x86_64
ApportVersion: 2.13.3-0ubuntu1
Architecture: amd64
Date: Sun Mar 23 08:40:38 2014
InstallationDate: Installed on 2014-03-22 (0 days ago)
InstallationMedia: Ubuntu-Server 14.04 LTS "Trusty Tahr" - Alpha amd64 (20140320)
ProcEnviron:
TERM=xterm
PATH=(custom, no user)
XDG_RUNTIME_DIR=<set>
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: light-locker
UpgradeStatus: No upgrade log present (probably fresh install)
Thank you, Russ, for the insightful explanation of what is happening here. I can definitely confirm that xscreensaver does indeed work on my system, as that is what I am using as a workaround to this issue. It isn't as "polished" as using the lightdm screen saver would be, but it certainly works better as far as the PAM integration is concerned. So a couple of things come to mind given all that we know so far:
1. The workaround is to use xscreensaver instead, although that is not something all users will be able to handle, especially given the lack of polish and the fact that some additional configuration in the X environment is required to get that to work. But it does indeed work, as I'm using it over here.
2. Probably more importantly, the PAM handling in light-locker appears to be very broken. This will probably affect other modules besides pam-krb5, and is a significant issue.
On Sunday, March 23, 2014 1:40 PM, Russ Allbery <email address hidden> wrote:
Launchpad Bug Tracker <email address hidden> writes:
> So what is happening is that on the initial login, I get a valid ticket
> cache, owned by my logging-in user, and showing my UID in the file name.
> This ticket works fine. However, once I lock the screen and then unlock
> it, I get a ticket cache owned by root, with "_pam_" in the filename,
> and of course I can't use it because I am not logged in as root.
The _pam_ ticket cache is created during the authenticate step of the PAM
interaction, and is then written to the user's actual ticket cache during
either setcred or open_session. (setcred is the appropriate thing for a
screen saver to call.) It's deleted on pam_end.
This sounds like a screen saver that isn't using PAM properly. It looks
like it's starting a PAM interaction and then only calling authenticate,
never calling setcred, and never ending the PAM interaction, so it leaks a
root-owned ticket cache and never renews your cache.
There used to be widespread problems of this sort due to the number of
people writing screen savers who didn't really understand how PAM worked,
but I thought most of them had been fixed.
You can confirm that it's a problem with this program rather than with
your system configuration by running xscreensaver, locking the screen,
unlocking with your Kerberos password, and seeing if that properly
refreshes your credentials. I know that xscreensaver does PAM properly.
-- www.eyrie. org/~eagle/>
Russ Allbery (<email address hidden>) <http://
-- /bugs.launchpad .net/bugs/ 1296276
You received this bug notification because you are subscribed to the bug
report.
https:/
Title:
light-locker fails to properly renew kerberos tickets with pam-krb5
Status in “light-locker” package in Ubuntu:
New
Status in “lightdm” package in Ubuntu:
New
Bug description:
I am using the pam-krb5 module to log into a Kerberos realm using
lightdm. This works the initial time I log in, when I come in through
lightdm. However, once I am logged in, and I lock the screen using
light-locker, when I unlock the screen I no longer get renewed
tickets.
The problem seems to be this:
-rw------- 1 me me 504 Mar 23 08:37 krb5cc_ 1000_sjkfhagfg pam_lsdkjhfsdk
-rw------- 1 root root 504 Mar 23 08:38 krb5cc_
So what is happening is that on the initial login, I get a valid
ticket cache, owned by my logging-in user, and showing my UID in the
file name. This ticket works fine. However, once I lock the screen
and then unlock it, I get a ticket cache owned by root, with "_pam_"
in the filename, and of course I can't use it because I am not logged
in as root.
This problem did not occur in 12.04 LTS, probably because it did not
use light-locker. The pam-krb5 module works in all other cases in my
installations, so I do not believe this is any kind of problem with
the pam_krb5 module.
Thanks,
Brian
ProblemType: Bug gnature: Ubuntu 3.13.0- 18.38-generic 3.13.6 edia: Ubuntu-Server 14.04 LTS "Trusty Tahr" - Alpha amd64 (20140320) RUNTIME_ DIR=<set>
DistroRelease: Ubuntu 14.04
Package: light-locker 1.2.1-0ubuntu1
ProcVersionSi
Uname: Linux 3.13.0-18-generic x86_64
ApportVersion: 2.13.3-0ubuntu1
Architecture: amd64
Date: Sun Mar 23 08:40:38 2014
InstallationDate: Installed on 2014-03-22 (0 days ago)
InstallationM
ProcEnviron:
TERM=xterm
PATH=(custom, no user)
XDG_
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: light-locker
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to: /bugs.launchpad .net/ubuntu/ +source/ light-locker/ +bug/1296276/ +subscriptions
https:/