[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

xdm and pam_krb5 issues


I'm having problems using libpam-heimdal (Kerberos v5) with xdm under
Debian (Sarge).  I've tracked down the problem precisely, and I am
proposing a specific fix; this isn't a cry for help.

The symptom is the following.  If the file


contains the line

auth sufficient pam_krb5.so debug

at the top, the function "pam_setcred" is called twice by xdm, first
in the function Verify at about line 500 in the file


then again in the function StartClient at about line 596 in the file


What happens is that the function pam_sm_setcred in
libpam-heimdal-1.0/pam_krb5_auth.c checks to see if a Kerberos
credentials cache already exists, and if it does the function fails.
Since it is called twice, the credentials cache is created by the
first call, then the second call causes pam_sm_setcred to fail, and
with it the login fails.

It turns out that this behavior (checking for the existence of a
credentials cache in pam_sm_setcred and failing if it exists) is added
by a Debian patch, namely the last hunk of "destroy-ticket.patch" that
comes with libpam-heimdal.  If I build libpam-heimdal without this
hunk, then everything works fine.  In addition, after logging in with
xdm, the credentials cache contains the TGT and host tickets I expect.

So we should either remove this hunk from libpam-heimdal so that it
doesn't care if the ccache exists already, or xdm should not call
pam_setcred twice (once for authentication and once for session).


Charles M. "Chip" Coldwell
System Administrator
Harvard Physics Department

Reply to: