NetBSD Problem Report #37923

From jukka+moray@salmi.ch  Wed Jan 30 13:52:21 2008
Return-Path: <jukka+moray@salmi.ch>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
	by narn.NetBSD.org (Postfix) with ESMTP id B150263B853
	for <gnats-bugs@gnats.NetBSD.org>; Wed, 30 Jan 2008 13:52:21 +0000 (UTC)
Message-Id: <20080130135218.5DD9A1A4B6@moray.salmi.ch>
Date: Wed, 30 Jan 2008 14:52:18 +0100 (CET)
From: j+nbsd@2008.salmi.ch
Reply-To: j+nbsd@2008.salmi.ch
To: gnats-bugs@gnats.NetBSD.org
Subject: krb5 ccache unlinked when using xdm and pam
X-Send-Pr-Version: 3.95

>Number:         37923
>Category:       misc
>Synopsis:       krb5 ccache unlinked when using xdm and pam
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    misc-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Jan 30 13:55:00 +0000 2008
>Last-Modified:  Wed Jan 30 14:40:07 +0000 2008
>Originator:     Jukka Salmi
>Release:        NetBSD 4.99.50
>Organization:
>Environment:
System: NetBSD moray.salmi.ch 4.99.50 NetBSD 4.99.50 (GENERIC.NOACPI) #0: Mon Jan 28 06:08:03 CET 2008 build@moray.salmi.ch:/b/build/nbsd/c/i386/sys/arch/i386/compile/GENERIC.NOACPI i386
Architecture: i386
Machine: i386
>Description:
When using Kerberos V authentication with PAM, logging in using xdm(1)
succeeds, but for some strange reason the credentials cache file is
unlinked during login, leaving you without a TGT.
However, logging in using login(1) also succeeds, but the credentials
cache is _not_ unlinked (as expected), preserving your recently acquired
TGT.

>How-To-Repeat:
On a system using krb5 authentication, log in using login(1) and run
klist(1) to see your TGT. Then log out, and log in using xdm(1), run
klist(1) and wonder why it prints

	klist: No ticket file: /tmp/krb5cc_1000

or similar. And indeed there will be no credentials cache file.

>Fix:

>Audit-Trail:
From: Jukka Salmi <j+nbsd@2008.salmi.ch>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: misc/37923: krb5 ccache unlinked when using xdm and pam
Date: Wed, 30 Jan 2008 15:37:42 +0100

 After installing a libpam built with DEBUG defined and passing the
 `debug' option to pam_krb5.so, logging in using login(1) results in
 [1]this log, and using xdm(1) in [2]this log. After adding some
 [3]additional printfs to pam_krb5.so, the logs look like [4]this for
 login(1) and like [5]this for xdm(1).

 I don't understand why the chown(2) in pam_sm_setcred() (pam_krb5.c
 rev. 1.21, line 565) fails if run by xdm(1).


 [1] http://salmi.ch/~jukka/nbsd/pam_krb5/login
 [2] http://salmi.ch/~jukka/nbsd/pam_krb5/xdm
 [3] http://salmi.ch/~jukka/nbsd/pam_krb5/pam_krb5_debug.diff
 [4] http://salmi.ch/~jukka/nbsd/pam_krb5/login.patched
 [5] http://salmi.ch/~jukka/nbsd/pam_krb5/xdm.patched

 -- 
 It's an odd coincidence that all the men whose skulls have been opened
 had a brain.

 	Ludwig Wittgenstein
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.