[Bug 215665] New: pam_krb5 called via KDM cannot delete ticket on logout
https://bugzilla.novell.com/show_bug.cgi?id=215665 Summary: pam_krb5 called via KDM cannot delete ticket on logout Product: openSUSE 10.2 Version: Beta 1 Platform: Other OS/Version: Other Status: NEW Severity: Critical Priority: P5 - None Component: KDE AssignedTo: kde-maintainers@suse.de ReportedBy: mc@novell.com QAContact: qa@suse.de When I login with KDM via pam_krb5 a ticket is created. When I close the KDE session, pam_krb5 tries to remove the ticket but failed. ct 27 14:31:52 mctest kdm: :0[10307]: pam_krb5[10307]: error removing ccache file '/tmp/krb5cc_1002_UcvtFB' Oct 27 14:31:52 mctest kdm: :0[10307]: pam_krb5[10307]: error removing ccache file '/tmp/krb5cc_1002_UcvtFB' This does not happen when I login on the console or ssh (GDM not tested). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=215665 coolo@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO Info Provider| |mc@novell.com ------- Comment #1 from coolo@novell.com 2006-10-31 07:41 MST ------- well, what is the problem for krb5 noobs? FYI: http://websvn.kde.org/?rev=595239&view=rev is supposed to fix credentials handling -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=215665 mc@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED Info Provider|mc@novell.com | ------- Comment #2 from mc@novell.com 2006-10-31 07:47 MST ------- Could it be that kdm calls "pam session open" with a different user than "pam session close"? I think we had something like this in the past. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=215665 ------- Comment #3 from mc@novell.com 2006-10-31 08:06 MST ------- Some more informations: on login pam_opensession is called successfully and a ticket was created: Oct 31 15:50:05 mctest kdm: :0[3520]: pam_krb5[3520]: created v5 ccache '/tmp/krb5cc_1002_gft6Wf' for 'ugansert' Oct 31 15:50:05 mctest kdm: :0[3520]: pam_krb5[3520]: pam_open_session returning 0 (Success) After this it seems that KDM calles an additionaly pam_setcred Oct 31 15:50:06 mctest kdm: :0[15226]: pam_unix2(xdm:setcred): pam_sm_setcred() called [...] With such a call the old ticket was deleted and a new one is created: Oct 31 15:50:06 mctest kdm: :0[15226]: pam_krb5[15226]: removing ccache file '/tmp/krb5cc_1002_gft6Wf' Oct 31 15:50:06 mctest kdm: :0[15226]: pam_krb5[15226]: created v5 ccache '/tmp/krb5cc_1002_EDraSp' for 'ugansert' Oct 31 15:50:06 mctest kdm: :0[15226]: pam_krb5[15226]: pam_open_session returning 0 (Success) On logout pam_session tries to delete the 1. created ticket which is still removed. Oct 31 15:50:55 mctest kdm: :0[3520]: pam_krb5[3520]: removing ccache file '/tmp/krb5cc_1002_gft6Wf' Oct 31 15:50:55 mctest kdm: :0[3520]: pam_krb5[3520]: error removing ccache file '/tmp/krb5cc_1002_gft6Wf' -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=215665 ------- Comment #4 from mc@novell.com 2006-10-31 08:20 MST ------- Ahh, you can see the problem in the logs above: pam_open_session and pam_close_session are running with pid 3520 which is the "root" process. The "setcred" call is executed with a different pid . pam_krb5 exchange the cache filename with some internal magic. If the child process changes a value the parent does not see this. The solution: run pam_open_session and pam_close_session in the user enviroment. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=215665 mc@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED ------- Comment #5 from mc@novell.com 2006-10-31 10:27 MST ------- Seems to be fixed in post Beta1. Close bug as fixed. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
participants (1)
-
bugzilla_noreply@novell.com