https://bugzilla.novell.com/show_bug.cgi?id=750290 https://bugzilla.novell.com/show_bug.cgi?id=750290#c0 Summary: cannot unlock xscreensaver from a kerberos authenticated XFCE session Classification: openSUSE Product: openSUSE 12.1 Version: Final Platform: i586 OS/Version: openSUSE 12.1 Status: NEW Severity: Normal Priority: P5 - None Component: Xfce AssignedTo: bnc-team-xfce@forge.provo.novell.com ReportedBy: lynn@steve-ss.com QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1022.0 Safari/535.19 SUSE/18.0.1022.0 A Kerberos authenticated user in an XFCE session cannot unlock the screensaver by entering his password after the screen has locked. Under KDE, the same user can unlock the screensaver just fine. Reproducible: Always Steps to Reproduce: 1.Login to xfce session 2.Wait for screensaver to lock the session 3.Touch keyboard or move mouse 4.Enter Kerberos password Actual Results: Authentication failed Expected Results: The screensaver is unlocked and we are returned to the session /etc/pam.d/common-auth auth required pam_env.so auth optional pam_gnome_keyring.so auth sufficient pam_unix2.so auth sufficient pam_krb5.so use_first_pass debug auth required pam_deny.so Here is a user steve5 logging in (his /home folder is on a nfs4 mount): Feb 5 11:03:55 hh3 kdm: :0[9701]: pam_krb5[9701]: minimum uid: 1 Feb 5 11:03:55 hh3 kdm: :0[9701]: pam_krb5[9701]: banner: Kerberos 5 Feb 5 11:03:55 hh3 kdm: :0[9701]: pam_krb5[9701]: ccache dir: /tmp Feb 5 11:03:55 hh3 kdm: :0[9701]: pam_krb5[9701]: ccname template: FILE:%d/krb5cc_%U_XXXXXX Feb 5 11:03:55 hh3 kdm: :0[9701]: pam_krb5[9701]: keytab: FILE:/etc/krb5.keytab Feb 5 11:03:55 hh3 kdm: :0[9701]: pam_krb5[9701]: token strategy: v4,524,2b,rxk5 Feb 5 11:03:55 hh3 kdm: :0[9701]: pam_krb5[9701]: pam_authenticate called for 'steve5', realm 'HH3.SITE' Feb 5 11:03:55 hh3 kdm: :0[9701]: pam_krb5[9701]: authenticating 'steve5@HH3.SITE' Feb 5 11:03:55 hh3 kdm: :0[9701]: pam_krb5[9701]: trying previously-entered password for 'steve5', allowing libkrb5 to prompt for more Feb 5 11:03:57 hh3 kdm: :0[9701]: pam_krb5[9701]: krb5_get_init_creds_password(krbtgt/HH3.SITE@HH3.SITE) returned 0 (Success) Feb 5 11:03:57 hh3 kdm: :0[9701]: pam_krb5[9701]: validating credentials Feb 5 11:03:57 hh3 kdm: :0[9701]: pam_krb5[9701]: TGT verified using key for 'nfs/hh3.hh3.site@HH3.SITE' Feb 5 11:03:57 hh3 kdm: :0[9701]: pam_krb5[9701]: got result 0 (Success) Feb 5 11:03:57 hh3 kdm: :0[9740]: pam_krb5[9740]: saving v5 credentials to 'MEMORY:_pam_krb5_tmp_s_steve5@HH3.SITE-0' for internal use Feb 5 11:03:57 hh3 kdm: :0[9740]: pam_krb5[9740]: copied credentials from "MEMORY:_pam_krb5_tmp_s_steve5@HH3.SITE-0" to "FILE:/tmp/krb5cc_3000021_B3F14U" for the user, destroying "MEMORY:_pam_krb5_tmp_s_steve5@HH3.SITE-0" Feb 5 11:03:57 hh3 kdm: :0[9740]: pam_krb5[9740]: created v5 ccache 'FILE:/tmp/krb5cc_3000021_k7VClV' for 'steve5'Feb 5 11:03:57 hh3 kdm: :0[9701]: pam_krb5[9701]: 'steve5@HH3.SITE' passes .k5login check for 'steve5'Feb 5 11:03:57 hh3 kdm: :0[9701]: pam_krb5[9701]: authentication succeeds for 'steve5' (steve5@HH3.SITE) Feb 5 11:03:57 hh3 kdm: :0[9701]: pam_krb5[9701]: pam_authenticate returning 0 (Success) He gets authenticated against Kerberos and the session starts fine. But then upon trying to unlock xscreensaver: Feb 5 11:05:14 hh3 unix2_chkpwd[10107]: Illegal service name 'xscreensaver' /etc/pam.d/xscreensaver contains: auth include common-auth account include common-account password include common-password session include common-session /etc/krb5.conf [libdefaults] default_realm = HH3.SITE dns_lookup_realm = false dns_lookup_kdc = true clockskew = 300 [domain_realm] .hh3.site = HH3.SITE [realms] HH3.SITE = { kdc = 192.168.1.3 default_domain = hh3.site admin_server = 192.168.1.3 } [appdefaults] pam = { ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false minimum_uid = 1 clockskew = 300 external = sshd use_shmem = sshd } -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.