Re: xdm and pam_krb5 issues

To: Chip Coldwell <coldwell@physics.harvard.edu>
Cc: Brian May <bam@snoopy.apana.org.au>, debian-x@lists.debian.org
Subject: Re: xdm and pam_krb5 issues
From: Fabio Massimo Di Nitto <fabbione@fabbione.net>
Date: Wed, 19 May 2004 18:26:26 +0200 (CEST)
Message-id: <[🔎] Pine.LNX.4.58.0405191825230.3846@trider-g7.ext.fabbione.net>
In-reply-to: <Pine.LNX.4.44.0405191138480.3693-100000@localhost.localdomain>
References: <Pine.LNX.4.44.0405191138480.3693-100000@localhost.localdomain>

You might want to take this discussions on proper mailing lists. I am not
the only X maintainer and if i was dead 5 minutes ago noone was going to
dig into my inbox.

Thanks
Fabio

On Wed, 19 May 2004, Chip Coldwell wrote:

> Hi,
>
> I'm having problems using libpam-heimdal (Kerberos v5) with xdm under
> Debian (Sarge).  I've tracked down the problem precisely, and I am
> proposing a specific fix; this isn't a cry for help.
>
> The symptom is the following.  If the file
>
> /etc/pam.d/xdm
>
> contains the line
>
> auth sufficient pam_krb5.so debug
>
> at the top, the function "pam_setcred" is called twice by xdm, first
> in the function Verify at about line 500 in the file
>
> xc/programs/xdm/greeter/verify.c
>
> then again in the function StartClient at about line 596 in the file
>
> xc/programs/xdm/session.c
>
> What happens is that the function pam_sm_setcred in
> libpam-heimdal-1.0/pam_krb5_auth.c checks to see if a Kerberos
> credentials cache already exists, and if it does the function fails.
> Since it is called twice, the credentials cache is created by the
> first call, then the second call causes pam_sm_setcred to fail, and
> with it the login fails.
>
> It turns out that this behavior (checking for the existence of a
> credentials cache in pam_sm_setcred and failing if it exists) is added
> by a Debian patch, namely the last hunk of "destroy-ticket.patch" that
> comes with libpam-heimdal.  If I build libpam-heimdal without this
> hunk, then everything works fine.  In addition, after logging in with
> xdm, the credentials cache contains the TGT and host tickets I expect.
>
> So we should either remove this hunk from libpam-heimdal so that it
> doesn't care if the ccache exists already, or xdm should not call
> pam_setcred twice (once for authentication and once for session).
>
> Chip
>
>

-- 
<user> fajita: step one
<fajita> Whatever the problem, step one is always to look in the error log.
<user> fajita: step two
<fajita> When in danger or in doubt, step two is to scream and shout.

Reply to:

Follow-Ups:
- Re: xdm and pam_krb5 issues
  - From: Chip Coldwell <coldwell@physics.harvard.edu>

Prev by Date: Bug#247852: apt-get update/upgrade killed XFree86 Server
Next by Date: xdm and pam_krb5 issues
Previous by thread: Re: Building xorg
Next by thread: Re: xdm and pam_krb5 issues
Index(es):
- Date
- Thread