Bug 168958 - pam_krb5 do not refresh TGT
pam_krb5 do not refresh TGT
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: pam_krb5 (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
Brian Brock
Depends On:
Blocks: 153257
  Show dependency treegraph
Reported: 2005-09-21 13:29 EDT by Frederic Medery
Modified: 2010-02-12 13:55 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-02-12 13:55:23 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Frederic Medery 2005-09-21 13:29:03 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050909 Red Hat/1.0.6-1.4.2 Firefox/1.0.6

Description of problem:
Theres is no refresh_creds option in the pam_krb5 module.
With NFSv4 (using sys=krb5). It would be very important that softwares using pam_krb5 can refresh or recreate a TGT after authentification.
Right now , NFSv4 cannot be use with sys=krb5 unless you log out before TGT expired or you won't be able to use your nfsv4 home folder.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Use klist to see your TGT expiration date and time.
2. Use xscreensaver to lock the computer and then unlock it.


Actual Results:  TGT is not refresh or recreate, you need to use kinit to have a new TGT.

Expected Results:  TGT should be refresh or renew after the authentification succeed.

Additional info:
Comment 2 Colin.Simpson 2005-10-11 10:38:36 EDT
Upgrading to the latest pam_krb5-2.1.8-1 on Red Hat ES 4 resolved this issue for
us. No changes were required to any files in /etc/pam.d. Now xscreensaver renews
the TGT. This side effect of this new version is undocumented in the bug report
associated with with this patch.
Comment 3 Colin.Simpson 2009-09-07 13:09:04 EDT
The screensavers I have tried (gnome-screensaver and xscreensaver (on RH4)) seem to renew the TGT. This appears to work on RH4.8, RH5.4 and also Fedora 11. Whether or not the TGT has expired or not, which seems correct. I'd have thought any chance with a password and Kerberos should take the opportunity to renew the TGT.

However if there is no credential cache, the screensaver doesn't attempt to add one on getting a password. I'm not sure if this is the expected or desired behaviour.
Comment 4 Nalin Dahyabhai 2010-02-12 13:55:23 EST
We actually tracked this as a different bug (#153257) for 2.1.8, and the end result is as you noted.  Marking as resolved in the current release.

Note You need to log in before you can comment on or make changes to this bug.