Comment 5 for bug 937602

This problem affects us, and is quite severe: Kerberized NFS cannot work reliably and securely with lxdm unless it is fixed. Because the Kerberos cache is discarded, users cannot reliably get access to Kerberos-protected home directories. The retain_after_close workaround almost entirely bypasses Kerberos/NFS security: once someone has logged in once, Kerberos permissions associated with their userid remain for a long time (until their TGT expires) even after logout.

Fortunately I think I've also found a fix:

diff -cr ../lxdm-0.5.3-orig/src/pam.c ./src/pam.c
*** ../lxdm-0.5.3-orig/src/pam.c 2015-07-31 08:21:09.000000000 -0400
--- ./src/pam.c 2017-09-08 18:29:46.000000000 -0400
***************
*** 397,403 ****
--- 397,405 ----

  int lxdm_auth_clean_for_child(LXDM_AUTH *a)
  {
+ #if NOTDEF /*** teach.cs ***/
   pam_end(a->handle,0);
+ #endif /*** teach.cs ***/
   return 0;
  }

lxdm calls lxdm_auth_clean_for_child between fork() (to make a new process for the session) and exec of Xsession. Calling pam_end here somehow calls the close_session code in pam_krb5.so, which destroys the Kerberos ticket cache.

I don't know enough about PAM to be sure whether it's improper to call pam_end here, or whether pam_krb5 is too eager to destroy the cache. Pragmatically, though, removing that pam_end call makes lxdm usable.