[OpenAFS] Ubuntu 10.04 Login Issues

Stephan Wiesand stephan.wiesand@desy.de
Wed, 22 Dec 2010 19:57:19 +0100 

Hi,

On Dec 22, 2010, at 18:40 , Thomas Calderon wrote:

> Hi,
>=20
> We are also using Ubuntu 10.04 paired with AFS home dirs and I am =
facing a hard problem with Gnome. Opening and closing sessions work =
flawlessly, but when users lock their workstation at night, they can't =
unlock it the following morning. Of course their TGT and AFS tokens =
expire overnight, which is the main cause of the problem.

from my experience, it will cause other problems as well. For example, =
with firefox. The best approach is to prevent the ticket/token from =
expiring while the user is logged in.

> I read in the discussion that a GCONF_LOCAL_LOCKS variable might =
exist, which sounded promising but has no effect nowadays.

Well, I mentioned that it probably no longer has ;-)

> The problem only occurs with Gnome, KDE is fine. I spend many ours =
trying to debug this issue.=20
>=20
> The issue is reproductible for me using this approach:
>   running gnome-screensaver in debug
>   renew TGT with 10 seconds lifetime and lock
>   wait 15 minutes -> the GUI is freezed
>   killing in console gives back the GUI and I can renew TGT in a =
terminal
>=20
> ex:
>   cd /tmp
>   apt-get source gnome-screensaver
>   cd gnome-screensaver-xxx/src/
>   sh debug-screensaver.sh (can be tuned to send log to /tmp/xxx.log)
>   kinit -l 10 xxx@MYREALM.COM
>=20
>=20
> Any of you could point me in a direction on how to solve this ? I =
might end up using xlock or xscreensaver, but I'd prefer to stay close =
to the "default" environement.=20

I have no experience with Ubuntu (yet). RHEL (at least 5, 6) comes with =
something called krb5-auth-dialog that's started with the user's session =
and will renew the ticket while that's possible. For EL6, we hacked it =
so that it will run aklog right after and hence get a fresh token as =
well. (On EL5, we haven't observed the problem you describe, and I'm not =
even sure it exists on EL6 - we did this to avoid problems with other =
software - like firefox).

If krb5-auth-dialog comes with Ubuntu, it may even be sufficiently =
recent that it doesn't have to be modified to care for AFS tokens. =
Recent versions come with a plugin system, and there's a plugin to do =
just that. Unfortunately, that version can't be built on EL6 - that's =
already too old...

Regards,
	Stephan

--=20
Stephan Wiesand
DESY -DV-
Platanenenallee 6
15738 Zeuthen, Germany