This problem affects us, and is quite severe: Kerberized NFS cannot work reliably and securely with lxdm unless it is fixed. Because the Kerberos cache is discarded, users cannot reliably get access to Kerberos-protected home directories. The retain_after_close workaround almost entirely bypasses Kerberos/NFS security: once someone has logged in once, Kerberos permissions associated with their userid remain for a long time (until their TGT expires) even after logout.
lxdm calls lxdm_auth_clean_for_child between fork() (to make a new process for the session) and exec of Xsession. Calling pam_end here somehow calls the close_session code in pam_krb5.so, which destroys the Kerberos ticket cache.
I don't know enough about PAM to be sure whether it's improper to call pam_end here, or whether pam_krb5 is too eager to destroy the cache. Pragmatically, though, removing that pam_end call makes lxdm usable.
This problem affects us, and is quite severe: Kerberized NFS cannot work reliably and securely with lxdm unless it is fixed. Because the Kerberos cache is discarded, users cannot reliably get access to Kerberos-protected home directories. The retain_after_close workaround almost entirely bypasses Kerberos/NFS security: once someone has logged in once, Kerberos permissions associated with their userid remain for a long time (until their TGT expires) even after logout.
Fortunately I think I've also found a fix:
diff -cr ../lxdm- 0.5.3-orig/ src/pam. c ./src/pam.c 0.5.3-orig/ src/pam. c 2015-07-31 08:21:09.000000000 -0400
*** ../lxdm-
--- ./src/pam.c 2017-09-08 18:29:46.000000000 -0400
***************
*** 397,403 ****
--- 397,405 ----
int lxdm_auth_ clean_for_ child(LXDM_ AUTH *a) end(a-> handle, 0);
{
+ #if NOTDEF /*** teach.cs ***/
pam_
+ #endif /*** teach.cs ***/
return 0;
}
lxdm calls lxdm_auth_ clean_for_ child between fork() (to make a new process for the session) and exec of Xsession. Calling pam_end here somehow calls the close_session code in pam_krb5.so, which destroys the Kerberos ticket cache.
I don't know enough about PAM to be sure whether it's improper to call pam_end here, or whether pam_krb5 is too eager to destroy the cache. Pragmatically, though, removing that pam_end call makes lxdm usable.