Red Hat Bugzilla – Bug 197428
Cannot unlock kdesktop_lock when using Kerberos authentication
Last modified: 2008-05-06 12:04:16 EDT
Description of problem:
When using Kerberos authentication it is not possible to unlock the screen saver
(kdesktop_lock) when it is locked. After entering the password an error message
"Cannot unlock the session because the authentication system failed to work; you
must kill kdesktop_lock (pid 2753) manually."
The associated messages in /var/log/messages are:
kcheckpass: pam_krb5: authentication succeeds for 'user' (user@EXAMPLE.COM)
kcheckpass: pam_krb5: won't refresh credentials while running setuid/setgid
The associated messages in /var/log/secure are:
kcheckpass: pam_unix(kscreensaver:auth): authentication failure; logname=user
uid=500 euid=0 tty=:0 ruser= rhost= user=user
Note: username and Kerberos domain replaced with fake.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Setup Kerberos authentication with system-config-authentication
2. Lock the screen
3. Unlock the screen (will fail)
An error message is displayed and the screen is not unlocked.
The screen should unlock.
Setup a local password for the account on the computer. The local password
should not be the same as the Kerberos password since this will inhibit
authentication via the Kerberos server. When unlocking the screen, use the local
password instead of the Kerberos password.
Just to help with reproducing this, you've got all of the FC5 updates applied?
(CCing the kdebase package owner in case this is a known problem.)
it seems pam_krb5 does not refresh credentials while kcheckpass running
Does it work for you if you remove the setuid of kcheckpass (chmod
755 /usr/bin/kcheckpass) ?
Nalin, do you know why using pam_ldap requires root priviliges?
for more infos please take a look at
The module doesn't try to refresh credentials when it's running setuid root.
The module has to get the location of the current credential cache from an
environment variable, and I don't trust that in a setuid case.
I guess the module could return PAM_IGNORE instead of PAM_SERVICE_ERR in that
case, or the unlock program could simply ignore the error code, as this isn't
the only error which might be generated (the documentation for PAM isn't really
clear on what the application is supposed to do if pam_setcred() returns a
I'd need more information about the configuration to be sure, but bug #189790
could be caused by a configuration in which access to the directory server is
only possible for the root user (e.g., setting a "rootbinddn", storing a
password in /etc/ldap.secret, and configuring the directory server to deny
unauthenticated search requests).
All updaes were applied. As a matter of fact, it all worked before applying the
updates. Sorry, forgot to mension this. I bet that kcheckpass being changed to
suid root in some kdebase update caused this to happen. Then we have a problem.
Kerberos authentication requires kcheckpass not to be suid root but LDAP
authentication require it to be.
I do not have the computer with the problem infront of me right now. I'll verify
tomorrow that a chmod 755 will indeed solve the problem.
A "chmod 755 /usr/bin/kcheckpass" solved the problem. But of course, the bug is
still there. At the next update I'll have to chmod again.
Fedora apologizes that these issues have not been resolved yet. We're
sorry it's taken so long for your bug to be properly triaged and acted
on. We appreciate the time you took to report this issue and want to
make sure no important bugs slip through the cracks.
If you're currently running a version of Fedora Core between 1 and 6,
please note that Fedora no longer maintains these releases. We strongly
encourage you to upgrade to a current Fedora release. In order to
refocus our efforts as a project we are flagging all of the open bugs
for releases which are no longer maintained and closing them.
If this bug is still open against Fedora Core 1 through 6, thirty days
from now, it will be closed 'WONTFIX'. If you can reporduce this bug in
the latest Fedora version, please change to the respective version. If
you are unable to do this, please add a comment to this bug requesting
Thanks for your help, and we apologize again that we haven't handled
these issues to this point.
The process we are following is outlined here:
We will be following the process here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping to ensure this
doesn't happen again.
And if you'd like to join the bug triage team to help make things
better, check out http://fedoraproject.org/wiki/BugZappers
This bug is open for a Fedora version that is no longer maintained and
will not be fixed by Fedora. Therefore we are closing this bug.
If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen thus bug against that version.
Thank you for reporting this bug and we are sorry it could not be fixed.