Red Hat Bugzilla – Bug 168958
pam_krb5 do not refresh TGT
Last modified: 2010-02-12 13:55:23 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050909 Red Hat/1.0.6-1.4.2 Firefox/1.0.6
Description of problem:
Theres is no refresh_creds option in the pam_krb5 module.
With NFSv4 (using sys=krb5). It would be very important that softwares using pam_krb5 can refresh or recreate a TGT after authentification.
Right now , NFSv4 cannot be use with sys=krb5 unless you log out before TGT expired or you won't be able to use your nfsv4 home folder.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Use klist to see your TGT expiration date and time.
2. Use xscreensaver to lock the computer and then unlock it.
Actual Results: TGT is not refresh or recreate, you need to use kinit to have a new TGT.
Expected Results: TGT should be refresh or renew after the authentification succeed.
Upgrading to the latest pam_krb5-2.1.8-1 on Red Hat ES 4 resolved this issue for
us. No changes were required to any files in /etc/pam.d. Now xscreensaver renews
the TGT. This side effect of this new version is undocumented in the bug report
associated with with this patch.
The screensavers I have tried (gnome-screensaver and xscreensaver (on RH4)) seem to renew the TGT. This appears to work on RH4.8, RH5.4 and also Fedora 11. Whether or not the TGT has expired or not, which seems correct. I'd have thought any chance with a password and Kerberos should take the opportunity to renew the TGT.
However if there is no credential cache, the screensaver doesn't attempt to add one on getting a password. I'm not sure if this is the expected or desired behaviour.
We actually tracked this as a different bug (#153257) for 2.1.8, and the end result is as you noted. Marking as resolved in the current release.