sys_getpeerid() [was Re: svn commit: samba r21887 -...]

Gerald (Jerry) Carter jerry at samba.org
Thu Mar 22 15:38:41 GMT 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Guenther,

>>> Fix annoying bug where in a pam_close_session (or a 
>>> pam_setcred with the PAM_DELETE_CREDS flag set) any
>>> user could delete krb5 credential caches. Make sure
>>> that only root can do this.
>>>
>>> Jerry, Jeremy, please check.
> 
> 
> There are three places we use sys_getpeerid() that I can tell.
> 
> (a) Jeremy's Domain Users hack for reporting group membership,
> (b) access to the ntlm_auth cache for applications like Firefox,
>     and now
> (c) The capability to issue a logoff call.
> 
> If we don't have getpeerid() I can loose the first two.  No big
> deal.
> 
> The problem I see with (c) is that if a platform does not support
> getpeerid() then you get init a user's krb5 ccache but never
> delete it.  Which makes the feature asymetrical based on support
> for getpeerid().
> 
> Am I missing something here ?

I think this broke unlocking screen savers :-(  I'm
testing xscreensaver on CentOS4.4  I'm seeing some strange
log entries frokm our pam_winbind (pam_lwidentiy) code.
Granted this is from our internal tree which is why it
would be great if you could double check me.
In particular I don't immediately know where the "write
to socket failed!" error is coming into play.

  xscreensaver(pam_unix)[4260]: authentication failure; logname=
    uid=100008 euid=100008 tty=:0.0 ruser= rhost=  user=MINT\johnny
  xscreensaver[4260]: pam_lwidentity(xscreensaver): Verify user 'root'
  xscreensaver[4260]: pam_lwidentity(xscreensaver): CONFIG file:
    krb5_ccache_type 'FILE'
  xscreensaver[4260]: pam_lwidentity(xscreensaver):
    pam_lwidentity_request: write to socket failed!
  xscreensaver[4260]: pam_lwidentity(xscreensaver): internal
    module error (retval = 3, user = 'root')
  xscreensaver(pam_unix)[4260]: authentication failure;
    logname= uid=100008 euid=100008 tty=:0.0 ruser= rhost=  user=root




cheers, jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGAqMBIR7qMdg1EfYRAjURAKDtLKYAJg/Yt8ZgARlqyZd/fe8e8wCfQ+Y/
KTOA48jaQDBECTj4Lm8MMPA=
=AqYB
-----END PGP SIGNATURE-----

More information about the samba-technical mailing list