Bug#383889: Can't get gnome-screensaver to work with pam_krb5
Jacques Normand
jnormand at nerim.net
Thu Jan 25 02:30:12 CET 2007
Severity: Serious
There is an update posted to debian-user. After discussion with people
there, I have opened a bug report upstream (bug #400455). It was also
mentionned that sarge did not use gnome-screensaver but xscreensaver
(contrary to what I wrote), which is right.
I am also going to upgrade the severity of that bug to serious and make
it release-critical. It does break something which used to work for
sarge and is likely to upset a lot of people if released as is. It
basically make the while desktop unusable if you are using pam_krb5
(which inludes AD domains, I guess).
jacques
----- Forwarded message from Jacques Normand <jnormand at nerim.net> -----
Date: Wed, 24 Jan 2007 16:48:49 -0600
From: Jacques Normand <jnormand at nerim.net>
Subject: Can't get gnome-screensaver to work with pam_krb5
To: debian-user at lists.debian.org
Hi everybody,
I have a nasty issue with gnome-screensaver. I cannot have it work
properly with kerberos (mit krb5). The version in sarge worked wiithout
problems but it has been broken for quite some time in testing.
The same configuration reports broken passwords all the time (which is
what I reported on bug #383889. On the other hand, if I disable the
verify_ap_req_nofail option in krb5.conf, then I see the passwords as
accepted, ... but the screen-saver do not quit.
This verify_ap_req_nofail option controls the behavior when the keytab
is not found. The machine I am testing on has a valid keytab so this
option should not change anything. That makes me think of a bad setup of
the environment.
For information:
/etc/pam.d/common-auth
auth sufficient pam_unix.so nullok_secure
auth required pam_krb5.so debug use_first_pass
/etc/krb5.conf (slightly edited):
[libdefaults]
default_realm = XXXX
# The following krb5.conf variables are only for MIT Kerberos.
default_tgs_enctypes = des3-hmac-sha1
default_tkt_enctypes = des3-hmac-sha1
permitted_enctypes = des3-hmac-sha1
kdc_timesync = 1
ccache_type = 4
renew_lifetime=7d
forwardable = true
proxiable = true
[logging]
kdc = SYSLOG:ERR:LOCAL5
admin_server = SYSLOG:ERR:LOCAL5
default = SYSLOG
[realms]
XXXXXXXX = {
kdc = XXXXX
admin_server = XXXXX
}
[domain_realm]
.....
[appdefaults]
forwardable = true
pam = {
minimum_uid=1000
}
And the logs show:
/var/log/debug
...
Jan 24 16:15:08 neelix gnome-screensaver-dialog: (pam_krb5): none: pam_sm_authenticate: entry (0x0)
Jan 24 16:15:08 neelix gnome-screensaver-dialog: (pam_krb5): jacques: pam_sm_authenticate: exit (success)
...
If someone has any ideas, I am all for it.
thanks
jacques
----- End forwarded message -----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-gnome-maintainers/attachments/20070124/5894e855/attachment.pgp
More information about the Pkg-gnome-maintainers
mailing list