From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux alpha; en-US; rv:0.9.2) Gecko/20010809 Description of problem: Since the pam_setcred is called before the initgroups call, setting supplementary groups with pam_group will thus not work of course since the groups are then wiped later. It could be that other credentials are also not set correctly because of this, another (but minor) issue is that pam_open_session was called before setcred, rather then after as is recommended by the pam docs. This bug applies to all gdm versions that I know of and thus all versions of redhat that use gdm. A fix is in the current CVS version and will be in the next release. In the meantime I have attached a patch against 2.2.3.1 which is the version redhat seems to be using currently. Not sure how critical this is, since essentially no gdm version got it right previously and pam_group is not that useful, however, other modules that grant certain credentials could be effected by this as well. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. use pam_group 2. log in with gdm 3. Actual Results: No supplemental group memberships given by pam_group. Only those listed in /etc/groups are given by initgroups Expected Results: have both /etc/groups and pam_group setups be in effect Additional info:
Created attachment 29134 [details] Patch to fix a pam setcred bug in gdm 2.2.3.1
Nalin when I get to work I plan to ask you to explain what George is talking about ;-)
Well, all that stuff changed recently anyway. I think it's best to just upgrade to 2.2.5.4 which I think does pam correctly.
OK, rawhide has new gdm