Red Hat Bugzilla – Bug 187341
gnome-screensaver unlock dialog fails to renew kerberos credentials
Last modified: 2007-11-30 17:11:28 EST
Description of problem:
When a machine is locked in FC5, unlocking it no longer renews the TGT. A bug
fix in RH4 did appear to repair this functionality.
Also, in FC5 a dialog appears asking me for new credentials entering them
however does not appear to renew my TGT either as far as klist is concerned.
A dialog does appear on the desktop
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. klist showing expired or about to exire TGT. Lock computer from menu
3.klist still shows expired TGT.
Expired TGT in klist,
New TGT. Or GUI saying we need new credentials actually doing it. Both would be
best ie if unlocking screen renew TGT, if however user works through TGT
expiration the dialog appearing saying renew credentials appearing at that time.
Are you using xscreensaver, or gnome-screensaver? You can tell the difference
because gnome-screensaver doesn't present a vertical indicator showing how much
time you have before your attempt to unlock the screen will fail due to a timeout.
Looks like gnome-screensaver.
Hmm, that's pretty easy to fix. Reassigning to gnome-screensaver component.
Ray, I'll attach a more minimal patch than the one I'd suggested before.
Created attachment 127090 [details]
patch to add "KRB5CCNAME" and "KRBTKFILE" to the list of allowed environment variables
Thanks Nalin. Adding to FC5 update tracker, so we can get this fix in an fc5
Colin, would you mind filing a separate report about the TGT renewel dialog not
working? The component to file against is "krb5-auth-dialog".
I'm going to push Nalin's patch into -updates-testing, would you mind testing
that it works? If it does, I'll push it into -updates soon after.
Let me know when the patch is ready and I'll test.
Seperate bug report filed about krb5-auth-diag problem.
What bug number is the other report?
Bug report for krb5-auth-diag problem is 187485.
And let me know which patches I need to apply in update testing for this bug.
I can confirm that gnome-screensaver-2.14.0-3 from Rawhide fixes this (and bug
333411 that I had reported upstream). Thanks.
Installing this RPM on FC5 fixes this problem for me too.
I have fc5 installed with gnome-screensaver 2.14.1-1.fc5.1, and I still have
some problems with renewal of kerberos tickets.
After entering my password, the screen unlocks, and I still have an expired
ticket. Usually, I have immediately entered my password in the krb5-auth-dialog
that has been waiting on my screen, and usually I have had to do this twice (it
pops up again after a few seconds and my ticket is still expired) before I had a
Today I just logged in, checked that my ticket was expired, and then started
searching bugzilla without using the auth dialog. When I rechecked my ticket
while writing this, it had suddenly been updated.
Are these tools somehow renewing the ticket asynchronously? From what I saw
today it seems like it takes at least a minute from I unlock until I have a
valid ticket. I'll have to expire my ticket and try again...
We log in using kerberos authentication (with AD as kerberos server), and
cifs-mounted home directory. For now, kerberos support in cifs vfs doesn't work,
so we use password authentication for the home dir. As soon as cifs works with
kerberos we'll want to use that so we can enable password-less ssh between
internal systems and still get the home directory mounted. When this happens I
assume it will also be vital that the kerberos key gets updated as soon as the
user unlocks. In fact, it may even be neccesary to have some process (either the
screensaver or krb5-auth-dialog) automatically renew the ticket until the 'renew
until' time is reached without asking for password.
The problem you describe sounds like it might be that gnome-screensaver is
renewing the Kerberos ticket but auth-dialog is undoing it's good work. I
reported it in bug report 187485 (is anyone looking at that one).
You could try doing a klist after unlocking the screen but not touching
auth-diag and see if the ticket gets renewed.
can you please check with comment #14, whether you are facing same issue or as
FYI: Adding you to CC in bug
I have changed to a new employer, so I don't use kerberos at the moment. I have
no easy way to check this. Sorry I can't be of much help on this bug anymore.
I think the original problem is correct, so i'll close the bug.