[Freeipa-users] Screensaver unlock with expired password
Sigbjorn Lie
sigbjorn at nixtra.com
Sat Apr 14 12:20:17 UTC 2012
Hi,
I ran into a issue with unlocking the screensaver when an users password
has expired. These results are from RHEL 5.
When running KDE and unlocking a screensaver with an expired password,
an error message is displayed advising that the password subsystem has
failed with instructions to kill the PID of the screensaver manually.
When running GNOME and unlocking the screensaver with an expired
password, an unlock is allowed, but no message is displayed, and the
kerberos ticket is not renewed.
Neither of these situations are ideal.
A workaround for KDE is to switch to a console login window with
CTRL-ALT-F2, and log in where you will be prompted for changing your
password. Switch back to KDE, and unlock the screensaver with the new
password. Not really user friendly.
We did have the krb5-auth-dialog running, but it turned out that after
being away over the weekend there many of these appearing on the screen
on monday morning, and once you typed in your password a new kerberos
ticket was aquired with start date of when the krb5-auth-dialog appeared!!
So if I left the office on Friday, and the krb5-auth-dialog appeared on
Saturday, I would get a ticket expiring on the Sunday that's already
passed, even though I typed in the password on Monday, rendering the
ticket useless for authenticating anywhere... so we removed this package
from our workstations.
Has anyone else run into these sort of issues? I would like to know how
you chose to work around these issues.
Thanks.
Regards,
Siggi
More information about the Freeipa-users
mailing list