Red Hat Bugzilla – Bug 146198
leaves files in /tmp from expried kerberos tickets
Last modified: 2014-01-21 17:51:14 EST
Dovecot is littering /tmp with files from expired kerberous tickets.
It fails to properly close out the kerberos session, or at least thats
the theory. We had the same problem with UW imap and applied a fix for
that, we probably need to pull in a similar patch for dovecot.
Notting believes the fix in uw imap was calling pam_setcred
(hdl,PAM_DELETE_CRED) after the pam auth succeeded. I'll investigate
and see if this is in our latest version. We did just do an update to
0.99.13, not sure what's running on devserv
Bill: I build a new version of dovecot that hopefully fixes the
kerberos ticket problem. Its checked into "devel" and here is a binary
I built on my own FC3 box, I don't want to build in rawhide yet. Do
you want to test it?
I did some minimal testing with pam and it seems to work fine, but pam
on my test system is not using kerberos so its not a sufficient test.
After having a discussion with Nalin it was suggested that dovecot not
call PAM_ESTABLISH_CRED in the first place, he thought this was a
better fix than trying to locate all the places to call
PAM_DELETE_CRED. The reasoning is fully explained in
dovecot-pam-setcred.patch, in essence there is no need to create the
on disk copy of the ticket with PAM_ESTABLISH_CRED if the session is
not held open and pam_end is immediately called after validating the
login, which is what dovecot does.
Currently testing on the server here (had to do a local build). Seems
to solve the issue.
Was the new build ok? If yes, please release it because I'm having this problem
The FC4 dovecot rpm has the fix.
And apparently FC3 updates-testing too. Just upgraded dovecot to it. Seems to
work ok. Problem solved.