kscreenlocker unlock does not work in combination with pam_krb5 Relevant lines from the journal (sensitive information redacted): Feb 07 18:07:42 $HOSTNAME kscreenlocker_greet[40929]: pam_krb5(kde:auth): (user $USER) attempting authentication as USER@REALM Feb 07 18:07:42 $HOSTNAME kscreenlocker_greet[40929]: pam_krb5(kde:auth): (user $USER) credential verification failed: Permission denied Feb 07 18:07:42 $HOSTNAME kscreenlocker_greet[40929]: pam_krb5(kde:auth): authentication failure; logname=$USER uid=XXXX euid=XXXX tty= ruser= rhost= Feb 07 18:07:42 $HOSTNAME kscreenlocker_greet[40929]: pam_krb5(kde:auth): pam_sm_authenticate: exit (failure) Feb 07 18:07:42 $HOSTNAME kscreenlocker_greet[40929]: pam_unix(kde:auth): authentication failure; logname= uid=XXXX euid=10236 tty= ruser= rhost= user=$USER Feb 07 18:07:45 $HOSTNAME kscreenlocker_greet[40929]: pam_krb5(kde:auth): pam_sm_authenticate: entry Our pam common-auth: auth sufficient pam_krb5.so minimum_uid=10000 debug auth required pam_unix.so try_first_pass nullok_secure Note that user homes are on NFS4 with sec=krb5p. I assume this behaviour was introduced by: https://invent.kde.org/plasma/kscreenlocker/-/commit/132adacf3d01fc4adf8a873e0debc3adb17972ec "Cleanup kcheckpass" setuid root kcheckpass was removed. How is that supposed to work now? SOFTWARE/OS VERSIONS Linux/KDE Plasma: 5.27.10-0ubuntu1~ubuntu22.04~ppa1 KDE Plasma Version: 5.27.10
Thanks for the bug report, and I'm sorry we were not able to get to it yet! A lot has changed since it was reported; can you check and see if it still happens on Plasma 6.3.4 or later, and presumably the KF5 version of the PAM configuration pieces? Thanks a lot!
Updating the status here, pending an update from the reporter - thanks!
Ok, I set up a test machine with Ubuntu 24.04 and Neon repositories, currently running plasma-desktop 4:6.3.5-0zneon+24.04+noble+release+build29. Behaviour and error messages are the same. Can you point me to the location of "KF5 version of the PAM configuration pieces" ?
> Ubuntu 24.04 and Neon repositories This is a franken-distro; when you glue pieces togather like that, you're bound to run into ten thousand weird random-seeming issues. Please test with an actual distro that has packagers who did integration work on it. Thanks!
🐛🧹 ⚠️ This bug has been in NEEDSINFO status with no change for at least 15 days. Please provide the requested information, then set the bug status to REPORTED. If there is no change for at least 30 days, it will be automatically closed as RESOLVED WORKSFORME. For more information about our bug triaging procedures, please read https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging. Thank you for helping us make KDE software even better for everyone!
Checked today with Ubuntu 25.04: ii libkscreenlocker6:amd64 6.3.4-0ubuntu1 I get the same line: Jun 12 13:57:58 $HOSTNAME kscreenlocker_greet[3201]: pam_krb5(kde:auth): (user $USER) credential verification failed: Permission denied
There's no indication this is a KDE bug rather than a local packaging error. It's impossible to know what the issue might be given the state your system is in.
At what point did I indicate that I just reused the old system? This is a rather rude insinuation, and I don't understand your tone. Of course I set up a completely new system, with sources only from Ubuntu 25.04. That was the purpose of the exercise. Can you demonstrate that pam_krb5 is working? It did work pre 5.27.10, and does not work now. I could understand "WONTFIX", if you deem it not important to support other pam modules than pam_unix, but "NOT A BUG" is clearly not. Let me cite the manpage (https://manpages.ubuntu.com/manpages/trusty/man5/pam_krb5.5.html): "After doing the initial authentication, the Kerberos PAM module will attempt to obtain tickets for a key in the local system keytab and then verify those tickets. Unless this step is performed, the authentication is vulnerable to KDC spoofing, but it requires that the system have a local key and that the PAM module be running as a user that can read the keytab file (normally /etc/krb5.keytab. You can point the Kerberos PAM module at a different keytab with the keytab option. If that keytab cannot be read or if no keys are found in it, the default (potentially insecure) behavior is to skip this check. If you want to instead fail authentication if the obtained tickets cannot be checked, set "verify_ap_req_nofail" to true in the [libdefaults] section of /etc/krb5.conf. Note that this will affect applications other than this PAM module." You dropped the setuid binary, so this is a regression.
(In reply to Pierre from comment #8) > Of course I set up a completely new system, with sources only from Ubuntu > 25.04. That was the purpose of the exercise. So that we can understand the software running on your system now, can you please provide the output of `kinfo`? Thanks.
Of course: $ kinfo Operating System: Ubuntu 25.04 KDE Plasma Version: 6.3.4 KDE Frameworks Version: 6.12.0 Qt Version: 6.8.3 Kernel Version: 6.14.0-29-generic (64-bit) Graphics Platform: X11 Processors: 8 × Intel® Core™ i3-10100 CPU @ 3.60GHz Memory: 15.5 GiB of RAM Graphics Processor: Intel® UHD Graphics 630
Thanks for the system details, and for confirming earlier that this is an Ubuntu system with Ubuntu sources. From my reading of it, dropping pam_krb5 sounds like an issue with how Ubuntu packages things, but I'll defer to those more knowledgeable about this.