Description of problem: When a machine is locked in FC5, unlocking it no longer renews the TGT. A bug fix in RH4 did appear to repair this functionality. Also, in FC5 a dialog appears asking me for new credentials entering them however does not appear to renew my TGT either as far as klist is concerned. A dialog does appear on the desktop Version-Release number of selected component (if applicable): How reproducible: Every time. Steps to Reproduce: 1. klist showing expired or about to exire TGT. Lock computer from menu 2.Unlock computer 3.klist still shows expired TGT. Actual results: Expired TGT in klist, Expected results: New TGT. Or GUI saying we need new credentials actually doing it. Both would be best ie if unlocking screen renew TGT, if however user works through TGT expiration the dialog appearing saying renew credentials appearing at that time. Additional info:
Are you using xscreensaver, or gnome-screensaver? You can tell the difference because gnome-screensaver doesn't present a vertical indicator showing how much time you have before your attempt to unlock the screen will fail due to a timeout.
Looks like gnome-screensaver.
Hmm, that's pretty easy to fix. Reassigning to gnome-screensaver component. Ray, I'll attach a more minimal patch than the one I'd suggested before.
Created attachment 127090 [details] patch to add "KRB5CCNAME" and "KRBTKFILE" to the list of allowed environment variables
Thanks Nalin. Adding to FC5 update tracker, so we can get this fix in an fc5 update. Colin, would you mind filing a separate report about the TGT renewel dialog not working? The component to file against is "krb5-auth-dialog".
Hi Colin, I'm going to push Nalin's patch into -updates-testing, would you mind testing that it works? If it does, I'll push it into -updates soon after.
Let me know when the patch is ready and I'll test. Seperate bug report filed about krb5-auth-diag problem. Thanks
Hi Colin, What bug number is the other report?
Bug report for krb5-auth-diag problem is 187485. And let me know which patches I need to apply in update testing for this bug. Thanks
I can confirm that gnome-screensaver-2.14.0-3 from Rawhide fixes this (and bug 333411 that I had reported upstream). Thanks.
Installing this RPM on FC5 fixes this problem for me too.
I have fc5 installed with gnome-screensaver 2.14.1-1.fc5.1, and I still have some problems with renewal of kerberos tickets. After entering my password, the screen unlocks, and I still have an expired ticket. Usually, I have immediately entered my password in the krb5-auth-dialog that has been waiting on my screen, and usually I have had to do this twice (it pops up again after a few seconds and my ticket is still expired) before I had a new ticket. Today I just logged in, checked that my ticket was expired, and then started searching bugzilla without using the auth dialog. When I rechecked my ticket while writing this, it had suddenly been updated. Are these tools somehow renewing the ticket asynchronously? From what I saw today it seems like it takes at least a minute from I unlock until I have a valid ticket. I'll have to expire my ticket and try again... We log in using kerberos authentication (with AD as kerberos server), and cifs-mounted home directory. For now, kerberos support in cifs vfs doesn't work, so we use password authentication for the home dir. As soon as cifs works with kerberos we'll want to use that so we can enable password-less ssh between internal systems and still get the home directory mounted. When this happens I assume it will also be vital that the kerberos key gets updated as soon as the user unlocks. In fact, it may even be neccesary to have some process (either the screensaver or krb5-auth-dialog) automatically renew the ticket until the 'renew until' time is reached without asking for password.
The problem you describe sounds like it might be that gnome-screensaver is renewing the Kerberos ticket but auth-dialog is undoing it's good work. I reported it in bug report 187485 (is anyone looking at that one). You could try doing a klist after unlocking the screen but not touching auth-diag and see if the ticket gets renewed.
hi birger, can you please check with comment #14, whether you are facing same issue or as mention in comment. Thanks FYI: Adding you to CC in bug
I have changed to a new employer, so I don't use kerberos at the moment. I have no easy way to check this. Sorry I can't be of much help on this bug anymore.
I think the original problem is correct, so i'll close the bug.