[Bug 187485] Doesn't seem to renew TGT after it has expired

bugzilla at redhat.com bugzilla at redhat.com
Wed Jun 24 04:12:13 UTC 2009


Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.


https://bugzilla.redhat.com/show_bug.cgi?id=187485





--- Comment #25 from Bojan Smojver <bojan at rexursive.com>  2009-06-24 00:12:12 EDT ---
I tried this patch with gnome-screensaver:
-----------------------------
--- a/src/gs-auth-pam.c
+++ b/src/gs-auth-pam.c
@@ -545,15 +545,11 @@ gs_auth_thread_func (int auth_operation_fd)
         }

         /* Each time we successfully authenticate, refresh credentials,
-           for Kerberos/AFS/DCE/etc.  If this fails, just ignore that
-           failure and blunder along; it shouldn't matter.
-
-           Note: this used to be PAM_REFRESH_CRED instead of
-           PAM_REINITIALIZE_CRED, but Jason Heiss <jheiss at ee.washington.edu>
-           says that the Linux PAM library ignores that one, and only
refreshes
-           credentials when using PAM_REINITIALIZE_CRED.
+           for Kerberos/AFS/DCE/etc. Use PAM_ESTABLISH_CRED to get new
+           ticket.
         */
-        status2 = pam_setcred (pam_handle, PAM_REINITIALIZE_CRED);
+        status2 = pam_setcred (pam_handle, PAM_DELETE_CRED);
+        status2 = pam_setcred (pam_handle, PAM_ESTABLISH_CRED);
         if (gs_auth_get_verbose ()) {
                 g_message ("   pam_setcred (...) ==> %d (%s)",
                            status2,
-----------------------------

However, this creates _another_ ticket - doesn't replace the existing one. In
any event, PAM_REINITIALIZE_CRED doesn't appear to do anything to the ticket at
all. Hmm, weird...

I even tried setting KRB5CCNAME before running gnome-screensaver, but that
didn't do anything either. Probably because the environment passed to the
libexec program in question didn't pass it along or something.

Anyhow, I'll stop now - somebody actually familiar with this code should have a
look.

-- 
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.




More information about the fedora-triage-list mailing list