sys_getpeerid() [was Re: svn commit: samba r21887 -...]
Gerald (Jerry) Carter
jerry at samba.org
Thu Mar 22 15:38:41 GMT 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Guenther,
>>> Fix annoying bug where in a pam_close_session (or a
>>> pam_setcred with the PAM_DELETE_CREDS flag set) any
>>> user could delete krb5 credential caches. Make sure
>>> that only root can do this.
>>>
>>> Jerry, Jeremy, please check.
>
>
> There are three places we use sys_getpeerid() that I can tell.
>
> (a) Jeremy's Domain Users hack for reporting group membership,
> (b) access to the ntlm_auth cache for applications like Firefox,
> and now
> (c) The capability to issue a logoff call.
>
> If we don't have getpeerid() I can loose the first two. No big
> deal.
>
> The problem I see with (c) is that if a platform does not support
> getpeerid() then you get init a user's krb5 ccache but never
> delete it. Which makes the feature asymetrical based on support
> for getpeerid().
>
> Am I missing something here ?
I think this broke unlocking screen savers :-( I'm
testing xscreensaver on CentOS4.4 I'm seeing some strange
log entries frokm our pam_winbind (pam_lwidentiy) code.
Granted this is from our internal tree which is why it
would be great if you could double check me.
In particular I don't immediately know where the "write
to socket failed!" error is coming into play.
xscreensaver(pam_unix)[4260]: authentication failure; logname=
uid=100008 euid=100008 tty=:0.0 ruser= rhost= user=MINT\johnny
xscreensaver[4260]: pam_lwidentity(xscreensaver): Verify user 'root'
xscreensaver[4260]: pam_lwidentity(xscreensaver): CONFIG file:
krb5_ccache_type 'FILE'
xscreensaver[4260]: pam_lwidentity(xscreensaver):
pam_lwidentity_request: write to socket failed!
xscreensaver[4260]: pam_lwidentity(xscreensaver): internal
module error (retval = 3, user = 'root')
xscreensaver(pam_unix)[4260]: authentication failure;
logname= uid=100008 euid=100008 tty=:0.0 ruser= rhost= user=root
cheers, jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGAqMBIR7qMdg1EfYRAjURAKDtLKYAJg/Yt8ZgARlqyZd/fe8e8wCfQ+Y/
KTOA48jaQDBECTj4Lm8MMPA=
=AqYB
-----END PGP SIGNATURE-----
More information about the samba-technical
mailing list