Bug#867311: gdm3: gnome unlock screen doesn't refresh kerberos ticket (via PAM)

John Hughes john at calva.com
Wed Jul 5 16:13:54 UTC 2017 

Package: gdm3
Version: 3.22.3-3
Severity: normal

Dear Maintainer,

   * What led up to the situation?

We use kerberos (and nfsv4) and gnome

   * What exactly did you do (or not do) that was effective (or
     ineffective)?

Locked my screen (or let my screen autolock), left the desk for a few
hours then came back and unlocked it

   * What was the outcome of this action?

My kerberos ticket was not updated

   * What outcome did you expect instead?

The kerberos ticket to be updated, like it used to be in Jessie.

Putting on a bit of debugging info by adding:

	[appdefaults]
		pam = {
			debug = true
		}

to /etc/krb5.conf

I see that pam appears to be updating the wrong ticket cache.

Jul  5 18:00:56 celtic gdm-password]: pam_krb5(gdm-password:account): pam_sm_acct_mgmt: entry
Jul  5 18:00:56 celtic gdm-password]: pam_krb5(gdm-password:account): (user john) retrieving principal from cache
Jul  5 18:00:56 celtic gdm-password]: pam_krb5(gdm-password:account): pam_sm_acct_mgmt: exit (success)
Jul  5 18:00:56 celtic gdm-password]: pam_krb5(gdm-password:setcred): pam_sm_setcred: entry (reinit)
Jul  5 18:00:56 celtic gdm-password]: pam_krb5(gdm-password:setcred): (user john) refreshing ticket cache /tmp/krb5cc_0
Jul  5 18:00:56 celtic gdm-password]: pam_krb5(gdm-password:setcred): pam_sm_setcred: exit (success)

If I look in /tmp/krb5cc_0 I do indeed see that I have a new ticket.  The problem being that that's not my ticket cache.

If, instead of locking the screen, I switch "virtual terminals" then it seems to do the right thing:

Jul  5 17:57:07 celtic gdm-password]: pam_krb5(gdm-password:auth): (user john) attempting authentication as john at CALVAEDI.COM
Jul  5 17:57:07 celtic gdm-password]: pam_krb5(gdm-password:auth): user john authenticated as john at CALVAEDI.COM
Jul  5 17:57:07 celtic gdm-password]: pam_krb5(gdm-password:auth): (user john) temporarily storing credentials in /tmp/krb5cc_pam_foCdYY
Jul  5 17:57:07 celtic gdm-password]: pam_krb5(gdm-password:auth): pam_sm_authenticate: exit (success)
Jul  5 17:57:07 celtic gdm-password]: gkr-pam: unlocked login keyring
Jul  5 17:57:07 celtic gdm-password]: pam_krb5(gdm-password:account): pam_sm_acct_mgmt: entry
Jul  5 17:57:07 celtic gdm-password]: pam_krb5(gdm-password:account): (user john) retrieving principal from cache
Jul  5 17:57:07 celtic gdm-password]: pam_krb5(gdm-password:account): pam_sm_acct_mgmt: exit (success)
Jul  5 17:57:07 celtic gdm-password]: pam_krb5(gdm-password:setcred): pam_sm_setcred: entry (reinit)
Jul  5 17:57:07 celtic gdm-password]: pam_krb5(gdm-password:setcred): (user john) refreshing ticket cache /tmp/krb5cc_1001_M6avll
Jul  5 17:57:07 celtic gdm-password]: pam_krb5(gdm-password:setcred): pam_sm_setcred: exit (success)


-- System Information:
Debian Release: 9.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages gdm3 depends on:
ii  accountsservice                       0.6.43-1
ii  adduser                               3.115
ii  dconf-cli                             0.26.0-2+b1
ii  dconf-gsettings-backend               0.26.0-2+b1
ii  debconf [debconf-2.0]                 1.5.61
ii  gir1.2-gdm-1.0                        3.22.3-3
ii  gnome-session [x-session-manager]     3.22.3-1
ii  gnome-session-bin                     3.22.3-1
ii  gnome-settings-daemon                 3.22.2-2
ii  gnome-shell                           3.22.3-3
ii  gnome-terminal [x-terminal-emulator]  3.22.2-1
ii  gsettings-desktop-schemas             3.22.0-1
ii  libaccountsservice0                   0.6.43-1
ii  libaudit1                             1:2.6.7-2
ii  libc6                                 2.24-11+deb9u1
ii  libcanberra-gtk3-0                    0.30-3
ii  libcanberra0                          0.30-3
ii  libgdk-pixbuf2.0-0                    2.36.5-2
ii  libgdm1                               3.22.3-3
ii  libglib2.0-0                          2.50.3-2
ii  libglib2.0-bin                        2.50.3-2
ii  libgtk-3-0                            3.22.11-1
ii  libkeyutils1                          1.5.9-9
ii  libpam-modules                        1.1.8-3.6
ii  libpam-runtime                        1.1.8-3.6
ii  libpam-systemd                        232-25
ii  libpam0g                              1.1.8-3.6
ii  librsvg2-common                       2.40.16-1+b1
ii  libselinux1                           2.6-3+b1
ii  libsystemd0                           232-25
ii  libwrap0                              7.6.q-26
ii  libx11-6                              2:1.6.4-3
ii  libxau6                               1:1.0.8-1
ii  libxcb1                               1.12-1
ii  libxdmcp6                             1:1.1.2-3
ii  lsb-base                              9.20161125
ii  metacity [x-window-manager]           1:3.22.1-1
ii  mutter [x-window-manager]             3.22.3-2
ii  policykit-1                           0.105-18
ii  ucf                                   3.0036
ii  x11-common                            1:7.7+19
ii  x11-xserver-utils                     7.7+7+b1
ii  xterm [x-terminal-emulator]           327-2

Versions of packages gdm3 recommends:
ii  at-spi2-core    2.22.0-6
ii  desktop-base    9.0.2
ii  x11-xkb-utils   7.7+3+b1
ii  xserver-xephyr  2:1.19.2-1
ii  xserver-xorg    1:7.7+19
ii  zenity          3.22.0-1+b1

Versions of packages gdm3 suggests:
ii  gnome-orca            3.22.2-3
ii  libpam-gnome-keyring  3.20.0-3

-- debconf information:
  gdm3/daemon_name: /usr/sbin/gdm3
* shared/default-x-display-manager: gdm3

More information about the pkg-gnome-maintainers mailing list