Comment 22 for bug 794112

Le 1 juil. 2012 à 17:14, Dominic Gross a écrit :

>> The Kernel posted by Chris allows, (with console login), the user to unlock the
>> screensaver
> Well, this seems to fix the original bug reported here. Which is that
> nobody can log in using LDAP / Kerberos once a ticket of one signed in
> user expired.

yes it is.

>> but applications, such like web browser, remains stuck and the session has to
>> be restarted in order to work properly.
> This looks like the intended behavior to me. The user's Kerberos Ticket
> expires some time after log in. At that point the applications can no
> longer access the user's NFS home directory and the applications get
> stuck or crash. Once a user enters his / her password again a new ticket
> is granted and the user can log into the session /access the home
> directory again. However, in my experience few applications fully
> recover from not being able to access the home directory for a longer
> time.

It wasn't the behaviour before rpc.gssd returns EKEYEXPIRED. Ce filesystem was fully accessible to the users apps even if they got stuck for days … It seems correct to me that the filesystem remains unaccessible until the user unlock the screensaver … for obvious security purpose (implementing an auto refresh, just like you said, seems to me like a security breach). However, it would be nice to have a way to get the former behaviour which allows user to get back his session without relogging and ,at the same time, don't give system access to the user FS even when the user is gone away.

> So, it seems to me, that in order to fix this remaining issue one needs
> to set up something to automatically renew Kerberos Tickets. This can be
> implemented either via a cronjob or packages like kstart or sssd.

    Christophe Ségui
Institut de Mathématiques de Toulouse
Université de Toulouse - CNRS
118 Route de Narbonne
31062 Toulouse Cedex 09

Tel : (+33) 5 61 55 63 78
<email address hidden>