Jukka Salmi --> current-users (2006-10-18 22:29:45 +0200):
> Hi,
> 
> on a -current Kerberos V system login(1) works fine while xdm(1) doesn't
> (both are using pam(8), default /etc/pam.d files). After successfully
> logging in, xdm seems to remove the credentials cache file:
> 
> [...]
>   3508      1 xdm      CALL  __lstat30(0x806cca0,0xbfbfe094)
>   3508      1 xdm      NAMI  "/tmp/krb5cc_1000"
>   3508      1 xdm      RET   __lstat30 0
>   3508      1 xdm      CALL  open(0x806cca0,2,0xbfbfdfb8)
>   3508      1 xdm      NAMI  "/tmp/krb5cc_1000"

That's a strange open(2) mode, isn't it?


> Another thing I noticed:
> 
> [...]
>   3508      1 xdm      CALL  chown(0x8069805,0x3e8,0x3e8)
>   3508      1 xdm      NAMI  "/tmp/krb5cc_1000"
>   3508      1 xdm      RET   chown -1 errno 1 Operation not permitted
> [...]
> 
> (0x3e8 being the uid of the user logging in)
> 
> login(1) seems to chown the file, too, but succeeds doing so.

I rebuilt PAM with DEBUG defined, and added code to check the cache
file's mode, owner and group, and the process' e[ug]id and [ug]id.
This didn't help me finding the problem, but it might give a hint for
someone more familiar with the code. That's what syslogd receives from
xdm:

in openpam_dispatch(): calling pam_sm_authenticate() in pam_krb5.so
[...]
in openpam_dispatch(): pam_krb5.so: pam_sm_authenticate(): success
in openpam_dispatch(): calling pam_sm_setcred() in pam_krb5.so
in openpam_dispatch(): pam_krb5.so: pam_sm_setcred(): error in service module
in openpam_dispatch(): calling pam_sm_setcred() in pam_krb5.so
in openpam_get_option(): entering: 'no_ccache'
in openpam_get_option(): returning NULL
in pam_sm_setcred(): Establishing credentials
in pam_get_item(): entering: PAM_USER
in pam_get_item(): returning PAM_SUCCESS
in pam_sm_setcred(): Got user: jukka
in pam_sm_setcred(): Context initialised
in pam_sm_setcred(): Got euid, egid: 0 0
in pam_get_data(): entering: 'ccache'
in pam_get_data(): returning PAM_SUCCESS
in pam_sm_setcred(): Done getpwnam_r()
in pam_sm_setcred(): Done setegid() & seteuid()
in openpam_get_option(): entering: 'ccache'
in openpam_get_option(): returning NULL
in pam_sm_setcred(): Got cache_name: FILE:/tmp/krb5cc_1000
in pam_sm_setcred(): Cache initialised
in pam_sm_setcred(): Prepared for iteration
in pam_sm_setcred(): Iteration
in pam_sm_setcred(): Iteration
in pam_sm_setcred(): Done iterating
pam_krb5: stat(/tmp/krb5cc_1000): mode 100600, uid 1000, gid 0
pam_krb5: chown(/tmp/krb5cc_1000, 1000, 1000) as euid:egid 1000:1000 (uid:gid 0:0)
in pam_sm_setcred(): Error chown(): Operation not permitted
in pam_sm_setcred(): Done cleanup2
in pam_sm_setcred(): Done cleanup3
in pam_sm_setcred(): Done seteuid() & setegid()
in openpam_dispatch(): pam_krb5.so: pam_sm_setcred(): error in service module

The two lines starting with `pam_krb5:' are output by the code I added
to lib/libpam/modules/pam_krb5/pam_krb5.c, just before the failing
chown() call. AFAICT everything seems to be fine and I have no idea
why chown() fails...

The full log is [1]availabe, as is the [2]log of the login procedure
when using login(1) (which succeeds) instead of xdm(1).

Any hints?


TIA, Jukka

[1] http://salmi.ch/~jukka/nbsd/pam_krb5/xdm
[2] http://salmi.ch/~jukka/nbsd/pam_krb5/login

-- 
bashian roulette:
$ ((RANDOM%6)) || rm -rf ~