can't unlock xscreensaver

steve steve at steve-ss.com
Sun Feb 5 05:24:21 EST 2012 

On 04/02/12 16:43, Mantas M. wrote:
> On Fri, Feb 03, 2012 at 04:40:16PM +0100, steve wrote:
>> OK
>> I've now seen that the xscreensaver shipped with openSUSE 12.1 does not
>> support Krb5. Fine.
> This shouldn't make any difference if PAM is being used -- xscreensaver just calls pam_krb5 in that case.
>
> Try adding the 'debug' option to pam_krb5 lines in your PAM configuration; see if anything interesting gets logged to the auth log.
>
> Also worth trying is `pamtester xscreensaver steve authenticate`, both under your normal account and as root.
>
Hi
Thanks for your reply.

I added debug to /etc/pam.d/common-auth:
auth    required    pam_env.so
auth    optional    pam_gnome_keyring.so
auth    sufficient    pam_unix2.so
auth    sufficient    pam_krb5.so    use_first_pass debug
auth    required    pam_deny.so

Here is a user steve5 logging in (his /home folder is on a nfs4 mount):
Feb  5 11:03:55 hh3 kdm: :0[9701]: pam_krb5[9701]: minimum uid: 1
Feb  5 11:03:55 hh3 kdm: :0[9701]: pam_krb5[9701]: banner: Kerberos 5
Feb  5 11:03:55 hh3 kdm: :0[9701]: pam_krb5[9701]: ccache dir: /tmp
Feb  5 11:03:55 hh3 kdm: :0[9701]: pam_krb5[9701]: ccname template: 
FILE:%d/krb5cc_%U_XXXXXX
Feb  5 11:03:55 hh3 kdm: :0[9701]: pam_krb5[9701]: keytab: 
FILE:/etc/krb5.keytab
Feb  5 11:03:55 hh3 kdm: :0[9701]: pam_krb5[9701]: token strategy: 
v4,524,2b,rxk5
Feb  5 11:03:55 hh3 kdm: :0[9701]: pam_krb5[9701]: pam_authenticate 
called for 'steve5', realm 'HH3.SITE'
Feb  5 11:03:55 hh3 kdm: :0[9701]: pam_krb5[9701]: authenticating 
'steve5 at HH3.SITE'
Feb  5 11:03:55 hh3 kdm: :0[9701]: pam_krb5[9701]: trying 
previously-entered password for 'steve5', allowing libkrb5 to prompt for 
more
Feb  5 11:03:57 hh3 kdm: :0[9701]: pam_krb5[9701]: 
krb5_get_init_creds_password(krbtgt/HH3.SITE at HH3.SITE) returned 0 (Success)
Feb  5 11:03:57 hh3 kdm: :0[9701]: pam_krb5[9701]: validating credentials
Feb  5 11:03:57 hh3 kdm: :0[9701]: pam_krb5[9701]: TGT verified using 
key for 'nfs/hh3.hh3.site at HH3.SITE'
Feb  5 11:03:57 hh3 kdm: :0[9701]: pam_krb5[9701]: got result 0 (Success)
Feb  5 11:03:57 hh3 kdm: :0[9740]: pam_krb5[9740]: saving v5 credentials 
to 'MEMORY:_pam_krb5_tmp_s_steve5 at HH3.SITE-0' for internal use
Feb  5 11:03:57 hh3 kdm: :0[9740]: pam_krb5[9740]: copied credentials 
from "MEMORY:_pam_krb5_tmp_s_steve5 at HH3.SITE-0" to 
"FILE:/tmp/krb5cc_3000021_B3F14U" for the user, destroying 
"MEMORY:_pam_krb5_tmp_s_steve5 at HH3.SITE-0"
Feb  5 11:03:57 hh3 kdm: :0[9740]: pam_krb5[9740]: created v5 ccache 
'FILE:/tmp/krb5cc_3000021_k7VClV' for 'steve5'Feb  5 11:03:57 hh3 kdm: 
:0[9701]: pam_krb5[9701]: 'steve5 at HH3.SITE' passes .k5login check for 
'steve5'Feb  5 11:03:57 hh3 kdm: :0[9701]: pam_krb5[9701]: 
authentication succeeds for 'steve5' (steve5 at HH3.SITE)
Feb  5 11:03:57 hh3 kdm: :0[9701]: pam_krb5[9701]: pam_authenticate 
returning 0 (Success)

He gets authenticated against Kerberos and the session starts fine.

But then upon trying to unlock xscreensaver:
Feb  5 11:05:14 hh3 unix2_chkpwd[10107]: Illegal service name 'xscreensaver'

/etc/pam.d/xscreensaver contains:
auth     include        common-auth
account  include        common-account
password include        common-password
session  include        common-session

It seems as though pam_krb5 is not being consulted.
Any idea how to fix?

Steve

More information about the Kerberos mailing list