| Summary: | kerberos credental caches no longer reset correctly on screen unlock | ||
|---|---|---|---|
| Product: | [Plasma] kscreenlocker | Reporter: | Mark Davies <mark> |
| Component: | greeter | Assignee: | Plasma Bugs List <plasma-bugs> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | bhush94, kde, nate |
| Priority: | NOR | Keywords: | regression |
| Version: | 5.25.1 | ||
| Target Milestone: | --- | ||
| Platform: | Arch Linux | ||
| OS: | Linux | ||
| Latest Commit: | https://invent.kde.org/plasma/kscreenlocker/commit/c5d4169898535ed2fdea6f89f207f7f44e63b850 | Version Fixed In: | 5.26 |
| Sentry Crash Report: | |||
| Attachments: | fix for not calling pam_setcred() | ||
Thanks for the patch! Can you please submit it at https://invent.kde.org/plasma/kscreenlocker/-/merge_requests/? A possibly relevant merge request was started @ https://invent.kde.org/plasma/kscreenlocker/-/merge_requests/95 Git commit c5d4169898535ed2fdea6f89f207f7f44e63b850 by Nate Graham, on behalf of Mattias Jernberg. Committed on 06/09/2022 at 14:51. Pushed by ngraham into branch 'master'. Refresh pam credentials when authenticating This is necessary to make pam_krb5 update your kerberos credential cache. M +2 -0 greeter/pamauthenticator.cpp https://invent.kde.org/plasma/kscreenlocker/commit/c5d4169898535ed2fdea6f89f207f7f44e63b850 |
Created attachment 150934 [details] fix for not calling pam_setcred() SUMMARY Since kscreenlocker_greet did the PAM handling internally rather than calling kcheckpass the kerberos credential cache no longer gets reset correctly on unlock. STEPS TO REPRODUCE 1. Use kerberos for authentication 2. lock and unlock the screen OBSERVED RESULT /tmp/krb5cc_<uid>_<random> is not touched /tmp/krb5cc_pam_<random> appears EXPECTED RESULT /tmp/krb5cc_<uid>_<random> is replaced by contents of /tmp/krb5cc_pam_<random> ADDITIONAL INFORMATION kcheckpass called pam_setcred() on successful authentication, but kscreenlocker_greet does not. patch to fix is attached.