Bug 187341
| Summary: | gnome-screensaver unlock dialog fails to renew kerberos credentials | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Colin.Simpson | ||||
| Component: | gnome-screensaver | Assignee: | Ray Strode [halfline] <rstrode> | ||||
| Status: | CLOSED ERRATA | QA Contact: | |||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 5 | CC: | b1r63r, caillon, jmccann, nalin | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2007-11-15 02:56:01 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 182226 | ||||||
| Attachments: |
|
||||||
|
Description
Colin.Simpson
2006-03-30 09:13:29 UTC
Are you using xscreensaver, or gnome-screensaver? You can tell the difference because gnome-screensaver doesn't present a vertical indicator showing how much time you have before your attempt to unlock the screen will fail due to a timeout. Looks like gnome-screensaver. Hmm, that's pretty easy to fix. Reassigning to gnome-screensaver component. Ray, I'll attach a more minimal patch than the one I'd suggested before. Created attachment 127090 [details]
patch to add "KRB5CCNAME" and "KRBTKFILE" to the list of allowed environment variables
Thanks Nalin. Adding to FC5 update tracker, so we can get this fix in an fc5 update. Colin, would you mind filing a separate report about the TGT renewel dialog not working? The component to file against is "krb5-auth-dialog". Hi Colin, I'm going to push Nalin's patch into -updates-testing, would you mind testing that it works? If it does, I'll push it into -updates soon after. Let me know when the patch is ready and I'll test. Seperate bug report filed about krb5-auth-diag problem. Thanks Hi Colin, What bug number is the other report? Bug report for krb5-auth-diag problem is 187485. And let me know which patches I need to apply in update testing for this bug. Thanks I can confirm that gnome-screensaver-2.14.0-3 from Rawhide fixes this (and bug 333411 that I had reported upstream). Thanks. Installing this RPM on FC5 fixes this problem for me too. I have fc5 installed with gnome-screensaver 2.14.1-1.fc5.1, and I still have some problems with renewal of kerberos tickets. After entering my password, the screen unlocks, and I still have an expired ticket. Usually, I have immediately entered my password in the krb5-auth-dialog that has been waiting on my screen, and usually I have had to do this twice (it pops up again after a few seconds and my ticket is still expired) before I had a new ticket. Today I just logged in, checked that my ticket was expired, and then started searching bugzilla without using the auth dialog. When I rechecked my ticket while writing this, it had suddenly been updated. Are these tools somehow renewing the ticket asynchronously? From what I saw today it seems like it takes at least a minute from I unlock until I have a valid ticket. I'll have to expire my ticket and try again... We log in using kerberos authentication (with AD as kerberos server), and cifs-mounted home directory. For now, kerberos support in cifs vfs doesn't work, so we use password authentication for the home dir. As soon as cifs works with kerberos we'll want to use that so we can enable password-less ssh between internal systems and still get the home directory mounted. When this happens I assume it will also be vital that the kerberos key gets updated as soon as the user unlocks. In fact, it may even be neccesary to have some process (either the screensaver or krb5-auth-dialog) automatically renew the ticket until the 'renew until' time is reached without asking for password. The problem you describe sounds like it might be that gnome-screensaver is renewing the Kerberos ticket but auth-dialog is undoing it's good work. I reported it in bug report 187485 (is anyone looking at that one). You could try doing a klist after unlocking the screen but not touching auth-diag and see if the ticket gets renewed. hi birger, can you please check with comment #14, whether you are facing same issue or as mention in comment. Thanks FYI: Adding you to CC in bug I have changed to a new employer, so I don't use kerberos at the moment. I have no easy way to check this. Sorry I can't be of much help on this bug anymore. I think the original problem is correct, so i'll close the bug. |