[OpenAFS] Changes for Mosaic's AFS cell...
Douglas E. Engert
deengert@anl.gov
Thu, 06 Apr 2006 14:06:22 -0500
Does you pam_krb5 have a refresh_creds option? That could be used with
the xcreensaver, to reuse the cache pointed at by the KRB5CCNAME.
Russ Allbery wrote:
> Derrick J Brashear <shadow@dementia.org> writes:
>
>>On Thu, 6 Apr 2006, Rodney M Dyer wrote:
>
>
>>>On Linux the xscreensaver runs as the user but appears to be started by
>>>init. When the screen is locked, then unlocked, the PAM module
>>>generates a new Kerberos 5 ticket, but doesn't use the correct ticket
>>>cache. It seems to always create a new ticket cache. Curious as to
>>>why this was happening, we killed xscreensaver and set the KRB5CCNAME
>>>variable, then restarted xscreensaver thinking it would then use the
>>>correct KRB5CCNAME, but again, it generated a new ticket cache. At
>>>this point xlock and screensaver is just broken. Note: I'm a Windows
>>>guy, so I'm getting all this from our Linux sysadmin.
>
>
>>That doesn't sound quite right. Anyway, why would a pam module worth
>>anything honor the environment it was invoked with?
>
>
>>Mine certainly didn't.
>
>
> xscreensaver is running as a subprocess and can't change the environment
> of the rest of your programs, so picking a new KRB5CCNAME just means that
> it strands the ticket cache somewhere nothing is looking at it. Exporting
> the variable via PAM's environment extensions doesn't help since the
> environment is still only inherited by child processes.
>
> When invoked in refresh creds mode (and only then), a Kerberos PAM module
> needs to honor the existing KRB5CCNAME setting and reinitialize the ticket
> cache the user already has.
>
> This is something that a lot of PAM modules appear to get wrong.
> libpam-krb5 in Debian should work correctly (and does for me with
> xscreensaver, but I invoke it via my own .xsession, so I don't know for
> sure if it will still work correctly if invoked via X startup scripts
> through xdm or the like).
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444