Bug#383889: Can't get gnome-screensaver to work with pam_krb5

[Jacques Normand]

Severity: Serious

There is an update posted to debian-user. After discussion with people
there, I have opened a bug report upstream (bug #400455). It was also
mentionned that sarge did not use gnome-screensaver but xscreensaver
(contrary to what I wrote), which is right. 

I am also going to upgrade the severity of that bug to serious and make
it release-critical. It does break something which used to work for
sarge and is likely to upset a lot of people if released as is. It
basically make the while desktop unusable if you are using pam_krb5
(which inludes AD domains, I guess).

jacques

----- Forwarded message from Jacques Normand <jnormand at nerim.net> -----

Date: Wed, 24 Jan 2007 16:48:49 -0600
From: Jacques Normand <jnormand at nerim.net>
Subject: Can't get gnome-screensaver to work with pam_krb5
To: debian-user at lists.debian.org

Hi everybody, 

I have a nasty issue with gnome-screensaver. I cannot have it work
properly with kerberos (mit krb5). The version in sarge worked wiithout
problems but it has been broken for quite some time in testing. 

The same configuration reports broken passwords all the time (which is
what I reported on bug #383889. On the other hand, if I disable the
verify_ap_req_nofail option in krb5.conf, then I see the passwords as
accepted, ... but the screen-saver do not quit. 

This verify_ap_req_nofail option controls the behavior when the keytab
is not found. The machine I am testing on has a valid keytab so this
option should not change anything. That makes me think of a bad setup of
the environment.

For information:
/etc/pam.d/common-auth
auth    sufficient      pam_unix.so nullok_secure
auth    required        pam_krb5.so debug use_first_pass

/etc/krb5.conf (slightly edited):
[libdefaults]
        default_realm = XXXX
# The following krb5.conf variables are only for MIT Kerberos.
        default_tgs_enctypes = des3-hmac-sha1
        default_tkt_enctypes = des3-hmac-sha1
        permitted_enctypes = des3-hmac-sha1
        kdc_timesync = 1
        ccache_type = 4
        renew_lifetime=7d
        forwardable = true
        proxiable = true


[logging]
        kdc = SYSLOG:ERR:LOCAL5
        admin_server = SYSLOG:ERR:LOCAL5
        default = SYSLOG

[realms]
XXXXXXXX = {
        kdc = XXXXX
        admin_server = XXXXX
}

[domain_realm]
        .....

[appdefaults]
        forwardable = true
        pam = {
            minimum_uid=1000
        }

And the logs show:
/var/log/debug
...
Jan 24 16:15:08 neelix gnome-screensaver-dialog: (pam_krb5): none: pam_sm_authenticate: entry (0x0)
Jan 24 16:15:08 neelix gnome-screensaver-dialog: (pam_krb5): jacques: pam_sm_authenticate: exit (success)
...

If someone has any ideas, I am all for it. 

thanks

jacques



----- End forwarded message -----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-gnome-maintainers/attachments/20070124/5894e855/attachment.pgp