Re: xdm and pam_krb5 issues
You might want to take this discussions on proper mailing lists. I am not
the only X maintainer and if i was dead 5 minutes ago noone was going to
dig into my inbox.
On Wed, 19 May 2004, Chip Coldwell wrote:
> I'm having problems using libpam-heimdal (Kerberos v5) with xdm under
> Debian (Sarge). I've tracked down the problem precisely, and I am
> proposing a specific fix; this isn't a cry for help.
> The symptom is the following. If the file
> contains the line
> auth sufficient pam_krb5.so debug
> at the top, the function "pam_setcred" is called twice by xdm, first
> in the function Verify at about line 500 in the file
> then again in the function StartClient at about line 596 in the file
> What happens is that the function pam_sm_setcred in
> libpam-heimdal-1.0/pam_krb5_auth.c checks to see if a Kerberos
> credentials cache already exists, and if it does the function fails.
> Since it is called twice, the credentials cache is created by the
> first call, then the second call causes pam_sm_setcred to fail, and
> with it the login fails.
> It turns out that this behavior (checking for the existence of a
> credentials cache in pam_sm_setcred and failing if it exists) is added
> by a Debian patch, namely the last hunk of "destroy-ticket.patch" that
> comes with libpam-heimdal. If I build libpam-heimdal without this
> hunk, then everything works fine. In addition, after logging in with
> xdm, the credentials cache contains the TGT and host tickets I expect.
> So we should either remove this hunk from libpam-heimdal so that it
> doesn't care if the ccache exists already, or xdm should not call
> pam_setcred twice (once for authentication and once for session).
<user> fajita: step one
<fajita> Whatever the problem, step one is always to look in the error log.
<user> fajita: step two
<fajita> When in danger or in doubt, step two is to scream and shout.