Q: How do I prevent my tickets from being renewed when I unlock my screen on Debathena?

Answer

By default, when you unlock your screen, Debathena will renew your Kerberos tickets for you. In many cases, this is the desired behavior. On your own workstation, however, you may wish to change this behavior (e.g., if you're running zwgc). You can do so as follows:

Be Careful This procedure involves editing some system configuration files. Errors here can leave you without access to your system. Please ensure you have a current backup before proceeding.

1. As root, open the file /etc/pam.d/gnome-screensaver for editing in your text editor of choice.
2. Find the line that contains

   @include common-auth

   and delete it. In place of that line, insert the entire contents of the file /etc/pam.d/common-auth.

3. In the text you just inserted, find the line that begins with the word auth and also contains the text pam_krb5.so somewhere in the middle of the line. It should look something like the following, but may not match exactly:

   auth    [success=2 authinfo_unavail=ignore default=die] pam_krb5.so minimum_uid=1 use_first_pass

4. At the end of that line, add a space, and then the string no_ccache.
5. Save the file.

Now, when you lock your screen, your existing Kerberos tickets will not be overwritten. Note that if you unlock your screen after being away for several hours or overnight, your tickets may have expired. After you unlock your screen, you will need to type renew in the Terminal to obtain new tickets.