Bug 187341 - gnome-screensaver unlock dialog fails to renew kerberos credentials
gnome-screensaver unlock dialog fails to renew kerberos credentials
Product: Fedora
Classification: Fedora
Component: gnome-screensaver (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Ray Strode [halfline]
Depends On:
Blocks: FC5Update
  Show dependency treegraph
Reported: 2006-03-30 04:13 EST by Colin Simpson
Modified: 2007-11-30 17:11 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-11-14 21:56:01 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
patch to add "KRB5CCNAME" and "KRBTKFILE" to the list of allowed environment variables (590 bytes, patch)
2006-03-30 19:46 EST, Nalin Dahyabhai
no flags Details | Diff

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Bugzilla 187485 None None None Never

  None (edit)
Description Colin Simpson 2006-03-30 04:13:29 EST
Description of problem:
When a machine is locked in FC5, unlocking it no longer renews the TGT. A bug
fix in RH4 did appear to repair this functionality. 

Also, in FC5 a dialog appears asking me for new credentials entering them
however does not appear to renew my TGT either as far as klist is concerned.

A dialog does appear on the desktop 

Version-Release number of selected component (if applicable):

How reproducible:
Every time. 

Steps to Reproduce:
1. klist showing expired or about to exire TGT. Lock computer from menu
2.Unlock computer
3.klist still shows expired TGT.
Actual results:
Expired TGT in klist,

Expected results:
New TGT. Or GUI saying we need new credentials actually doing it. Both would be
best ie if unlocking screen renew TGT, if however user works through TGT
expiration the dialog appearing saying renew credentials appearing at that time.

Additional info:
Comment 1 Nalin Dahyabhai 2006-03-30 08:01:11 EST
Are you using xscreensaver, or gnome-screensaver?  You can tell the difference
because gnome-screensaver doesn't present a vertical indicator showing how much
time you have before your attempt to unlock the screen will fail due to a timeout.
Comment 3 Colin Simpson 2006-03-30 09:33:55 EST
Looks like gnome-screensaver.
Comment 4 Nalin Dahyabhai 2006-03-30 19:44:51 EST
Hmm, that's pretty easy to fix.  Reassigning to gnome-screensaver component. 
Ray, I'll attach a more minimal patch than the one I'd suggested before.
Comment 5 Nalin Dahyabhai 2006-03-30 19:46:23 EST
Created attachment 127090 [details]
patch to add "KRB5CCNAME" and "KRBTKFILE" to the list of allowed environment variables
Comment 6 Ray Strode [halfline] 2006-03-30 21:56:36 EST
Thanks Nalin.  Adding to FC5 update tracker, so we can get this fix in an fc5

Colin, would you mind filing a separate report about the TGT renewel dialog not
working? The component to file against is "krb5-auth-dialog". 
Comment 7 Ray Strode [halfline] 2006-03-30 23:29:08 EST
Hi Colin,

I'm going to push Nalin's patch into -updates-testing, would you mind testing
that it works?  If it does, I'll push it into -updates soon after.
Comment 8 Colin Simpson 2006-03-31 05:31:25 EST
Let me know when the patch is ready and I'll test. 

Seperate bug report filed about krb5-auth-diag problem.

Comment 9 Ray Strode [halfline] 2006-03-31 18:10:37 EST
Hi Colin,

What bug number is the other report?
Comment 10 Colin Simpson 2006-04-01 11:00:37 EST
Bug report for krb5-auth-diag problem is 187485.

And let me know which patches I need to apply in update testing for this bug.

Comment 11 Rudi Chiarito 2006-04-03 09:32:25 EDT
I can confirm that gnome-screensaver-2.14.0-3 from Rawhide fixes this (and bug
333411 that I had reported upstream). Thanks.
Comment 12 Colin Simpson 2006-04-03 09:49:46 EDT
Installing this RPM on FC5 fixes this problem for me too.

Comment 13 birger 2006-05-05 02:22:29 EDT
I have fc5 installed with gnome-screensaver 2.14.1-1.fc5.1, and I still have
some problems with renewal of kerberos tickets.

After entering my password, the screen unlocks, and I still have an expired
ticket. Usually, I have immediately entered my password in the krb5-auth-dialog
that has been waiting on my screen, and usually I have had to do this twice (it
pops up again after a few seconds and my ticket is still expired) before I had a
new ticket.

Today I just logged in, checked that my ticket was expired, and then started
searching bugzilla without using the auth dialog. When I rechecked my ticket
while writing this, it had suddenly been updated.

Are these tools somehow renewing the ticket asynchronously? From what I saw
today it seems like it takes at least a minute from I unlock until I have a
valid ticket. I'll have to expire my ticket and try again...

We log in using kerberos authentication (with AD as kerberos server), and
cifs-mounted home directory. For now, kerberos support in cifs vfs doesn't work,
so we use password authentication for the home dir. As soon as cifs works with
kerberos we'll want to use that so we can enable password-less ssh between
internal systems and still get the home directory mounted. When this happens I
assume it will also be vital that the kerberos key gets updated as soon as the
user unlocks. In fact, it may even be neccesary to have some process (either the
screensaver or krb5-auth-dialog) automatically renew the ticket until the 'renew
until' time is reached without asking for password.
Comment 14 Colin Simpson 2006-05-05 05:15:51 EDT
The problem you describe sounds like it might be that gnome-screensaver is
renewing the Kerberos ticket but auth-dialog is undoing it's good work. I
reported it in bug report 187485 (is anyone looking at that one). 

You could try doing a klist after unlocking the screen but not touching
auth-diag and see if the ticket gets renewed.

Comment 15 A S Alam 2007-09-19 07:37:57 EDT
hi birger,
can you please check with comment #14, whether you are facing same issue or as
in comment.
FYI: Adding you to CC in bug
Comment 16 birger 2007-11-14 15:57:28 EST
I have changed to a new employer, so I don't use kerberos at the moment. I have
no easy way to check this. Sorry I can't be of much help on this bug anymore.
Comment 17 Ray Strode [halfline] 2007-11-14 21:56:01 EST
I think the original problem is correct, so i'll close the bug.

Note You need to log in before you can comment on or make changes to this bug.