Bug 146198

Summary: leaves files in /tmp from expried kerberos tickets
Product: [Fedora] Fedora Reporter: John Dennis <jdennis>
Component: dovecotAssignee: John Dennis <jdennis>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 3CC: jval, notting, tss, wtogami
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-07-22 15:56:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 171119    

Description John Dennis 2005-01-25 22:15:19 UTC 
Dovecot is littering /tmp with files from expired kerberous tickets.
It fails to properly close out the kerberos session, or at least thats
the theory. We had the same problem with UW imap and applied a fix for
that, we probably need to pull in a similar patch for dovecot.
Comment 1 John Dennis 2005-01-25 22:19:41 UTC 
Notting believes the fix in uw imap was calling pam_setcred
(hdl,PAM_DELETE_CRED) after the pam auth succeeded. I'll investigate
and see if this is in our latest version. We did just do an update to
0.99.13, not sure what's running on devserv
Comment 2 John Dennis 2005-02-02 22:16:36 UTC 
Bill: I build a new version of dovecot that hopefully fixes the
kerberos ticket problem. Its checked into "devel" and here is a binary
I built on my own FC3 box, I don't want to build in rawhide yet. Do
you want to test it? 

ftp://people.redhat.com/jdennis/dovecot-0.99.13-4.devel.i386.rpm

I did some minimal testing with pam and it seems to work fine, but pam
on my test system is not using kerberos so its not a sufficient test.

After having a discussion with Nalin it was suggested that dovecot not
call PAM_ESTABLISH_CRED in the first place, he thought this was a
better fix than trying to locate all the places to call
PAM_DELETE_CRED. The reasoning is fully explained in
dovecot-pam-setcred.patch, in essence there is no need to create the
on disk copy of the ticket with PAM_ESTABLISH_CRED if the session is
not held open and pam_end is immediately called after validating the
login, which is what dovecot does.
Comment 3 Bill Nottingham 2005-02-02 22:37:43 UTC 
Currently testing on the server here (had to do a local build). Seems
to solve the issue.
Comment 6 Jarkko 2005-11-01 22:09:25 UTC 
Was the new build ok? If yes, please release it because I'm having this problem
here...
Comment 7 John Dennis 2005-11-01 22:25:50 UTC 
The FC4 dovecot rpm has the fix.
Comment 8 Jarkko 2005-11-01 22:41:22 UTC 
And apparently FC3 updates-testing too. Just upgraded dovecot to it. Seems to
work ok. Problem solved.