Hi everybody,
I have a nasty issue with gnome-screensaver. I cannot have it work
properly with kerberos (mit krb5). The version in sarge worked wiithout
problems but it has been broken for quite some time in testing.
The same configuration reports broken passwords all the time (which is
what I reported on bug #383889. On the other hand, if I disable the
verify_ap_req_nofail option in krb5.conf, then I see the passwords as
accepted, ... but the screen-saver do not quit.
This verify_ap_req_nofail option controls the behavior when the keytab
is not found. The machine I am testing on has a valid keytab so this
option should not change anything. That makes me think of a bad setup of
the environment.
For information:
/etc/pam.d/common-auth
auth sufficient pam_unix.so nullok_secure
auth required pam_krb5.so debug use_first_pass
/etc/krb5.conf (slightly edited):
[libdefaults]
default_realm = XXXX
# The following krb5.conf variables are only for MIT Kerberos.
default_tgs_enctypes = des3-hmac-sha1
default_tkt_enctypes = des3-hmac-sha1
permitted_enctypes = des3-hmac-sha1
kdc_timesync = 1
ccache_type = 4
renew_lifetime=7d
forwardable = true
proxiable = true
[logging]
kdc = SYSLOG:ERR:LOCAL5
admin_server = SYSLOG:ERR:LOCAL5
default = SYSLOG
[realms]
XXXXXXXX = {
kdc = XXXXX
admin_server = XXXXX
}
[domain_realm]
.....
[appdefaults]
forwardable = true
pam = {
minimum_uid=1000
}
And the logs show:
/var/log/debug
...
Jan 24 16:15:08 neelix gnome-screensaver-dialog: (pam_krb5): none: pam_sm_authenticate: entry (0x0)
Jan 24 16:15:08 neelix gnome-screensaver-dialog: (pam_krb5): jacques: pam_sm_authenticate: exit (success)
...
If someone has any ideas, I am all for it.
thanks
jacques
Attachment:
signature.asc
Description: Digital signature