New issue
Advanced search Search tips

Issue 676337 link

Starred by 2 users

Issue metadata

Status: Verified
Owner:
Closed: Sep 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 2
Type: Feature



Sign in to add a comment

Refresh TGT on unlocking the device on the lock screen

Project Member Reported by tnagel@chromium.org, Dec 21 2016

Issue description

.
 

Comment 1 by tnagel@chromium.org, Dec 21 2016

Labels: -Pri-3 M-58 Pri-1
Labels: Enterprise-Triaged
Status: Started (was: Assigned)
Project Member

Comment 4 by bugdroid1@chromium.org, Apr 11 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d8c46c166645ad80352881e692745cd2c30aa24f

commit d8c46c166645ad80352881e692745cd2c30aa24f
Author: rsorokin <rsorokin@chromium.org>
Date: Tue Apr 11 08:43:19 2017

Add AuthPolicyLoginHelper

Allows cancel all pending calls and restart AuthPolicy service. Used
for enrollment and login UI to proper cancel the flows.

Also
Add RestartAuthPolicyService into UpstartClient.
Make UI flows properly cancel pending authpolicy operations.
Add delays in the FakeAuthPolicy clients in JoinAdDomain and
Authenticate user calls.
Move writing password piping into the AuthPolicyLoginHelper.

BUG= 677487 , 662400 , 676337 , 675597 
TEST=manual
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:closure_compilation

Review-Url: https://codereview.chromium.org/2794493002
Cr-Commit-Position: refs/heads/master@{#463578}

[modify] https://crrev.com/d8c46c166645ad80352881e692745cd2c30aa24f/chrome/browser/chromeos/login/enterprise_enrollment_browsertest.cc
[modify] https://crrev.com/d8c46c166645ad80352881e692745cd2c30aa24f/chrome/browser/chromeos/login/helper.cc
[modify] https://crrev.com/d8c46c166645ad80352881e692745cd2c30aa24f/chrome/browser/chromeos/login/helper.h
[modify] https://crrev.com/d8c46c166645ad80352881e692745cd2c30aa24f/chrome/browser/chromeos/login/login_browsertest.cc
[modify] https://crrev.com/d8c46c166645ad80352881e692745cd2c30aa24f/chrome/browser/resources/chromeos/login/screen_gaia_signin.js
[modify] https://crrev.com/d8c46c166645ad80352881e692745cd2c30aa24f/chrome/browser/ui/webui/chromeos/login/enrollment_screen_handler.cc
[modify] https://crrev.com/d8c46c166645ad80352881e692745cd2c30aa24f/chrome/browser/ui/webui/chromeos/login/enrollment_screen_handler.h
[modify] https://crrev.com/d8c46c166645ad80352881e692745cd2c30aa24f/chrome/browser/ui/webui/chromeos/login/gaia_screen_handler.cc
[modify] https://crrev.com/d8c46c166645ad80352881e692745cd2c30aa24f/chrome/browser/ui/webui/chromeos/login/gaia_screen_handler.h
[modify] https://crrev.com/d8c46c166645ad80352881e692745cd2c30aa24f/chromeos/BUILD.gn
[modify] https://crrev.com/d8c46c166645ad80352881e692745cd2c30aa24f/chromeos/dbus/auth_policy_client.cc
[modify] https://crrev.com/d8c46c166645ad80352881e692745cd2c30aa24f/chromeos/dbus/auth_policy_client.h
[modify] https://crrev.com/d8c46c166645ad80352881e692745cd2c30aa24f/chromeos/dbus/fake_auth_policy_client.cc
[modify] https://crrev.com/d8c46c166645ad80352881e692745cd2c30aa24f/chromeos/dbus/fake_auth_policy_client.h
[modify] https://crrev.com/d8c46c166645ad80352881e692745cd2c30aa24f/chromeos/dbus/fake_auth_policy_client_unittest.cc
[modify] https://crrev.com/d8c46c166645ad80352881e692745cd2c30aa24f/chromeos/dbus/fake_upstart_client.cc
[modify] https://crrev.com/d8c46c166645ad80352881e692745cd2c30aa24f/chromeos/dbus/fake_upstart_client.h
[modify] https://crrev.com/d8c46c166645ad80352881e692745cd2c30aa24f/chromeos/dbus/upstart_client.cc
[modify] https://crrev.com/d8c46c166645ad80352881e692745cd2c30aa24f/chromeos/dbus/upstart_client.h
[add] https://crrev.com/d8c46c166645ad80352881e692745cd2c30aa24f/chromeos/login/auth/authpolicy_login_helper.cc
[add] https://crrev.com/d8c46c166645ad80352881e692745cd2c30aa24f/chromeos/login/auth/authpolicy_login_helper.h

Labels: -M-58 M-61
I'm gonna leave this bug to make sure we'll handle passing the password on the views-based lock screen.

Comment 8 by dskaram@google.com, Jul 28 2017

Labels: -Pri-1 Pri-2
Changing P2 given the critical part is already fixed.
Project Member

Comment 9 by bugdroid1@chromium.org, Sep 28 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c559001e91f7c460113f5bbd5afa41e1f83dfe6f

commit c559001e91f7c460113f5bbd5afa41e1f83dfe6f
Author: Roman Sorokin <rsorokin@chromium.org>
Date: Thu Sep 28 00:48:29 2017

Chromad: Refresh Kerberos TGT on the views lock screen

Refresh Kerberos ticket-granting-ticket for Active Directory
enrolled devices on the new views-based lock screen

Bug:  676337 
Change-Id: I2a211c5b1e9b03f3bd7e27ac018133e2edde1391
Reviewed-on: https://chromium-review.googlesource.com/685830
Reviewed-by: Jacob Dufault <jdufault@chromium.org>
Commit-Queue: Roman Sorokin <rsorokin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#504834}
[modify] https://crrev.com/c559001e91f7c460113f5bbd5afa41e1f83dfe6f/ash/login/lock_screen_controller.cc
[modify] https://crrev.com/c559001e91f7c460113f5bbd5afa41e1f83dfe6f/chrome/browser/chromeos/login/lock/screen_locker.cc

Status: Fixed (was: Started)

Comment 11 by dchan@chromium.org, Jan 22 2018

Status: Archived (was: Fixed)

Comment 12 by dchan@chromium.org, Jan 23 2018

Status: Fixed (was: Archived)
Status: Verified (was: Fixed)
Verified fixed. There is a refresh of the Kerberos TGT for Active Directory enrolled device on the lock screen.

Steps:

1. Enroll device to AD
2. Login with an AD user
3. Lock the device
4. Login again

localhost /var/log # cat authpolicy.log 
2018-04-10T14:19:27.549987-07:00 INFO authpolicyd[2950]: #033[41;1;97mReceived 'AuthenticateUser' request#033[0m
2018-04-10T14:19:33.668812-07:00 INFO authpolicyd[2950]: Firing signal UserKerberosFilesChanged
2018-04-10T14:19:40.037316-07:00 INFO authpolicyd[2950]: TGT RENEWAL - Scheduling renewal in 7h 59m 54s (valid for 9h 59m 53s, renewable for 167h 59m 52s)
2018-04-10T14:19:40.037407-07:00 INFO authpolicyd[2950]: AuthenticateUser succeeded
2018-04-10T14:19:41.545321-07:00 INFO authpolicyd[2950]: #033[41;1;97mReceived 'GetUserStatus' request#033[0m
2018-04-10T14:19:50.745776-07:00 INFO authpolicyd[2950]: GetUserStatus succeeded
2018-04-10T14:19:50.746153-07:00 INFO authpolicyd[2950]: #033[41;1;97mReceived 'GetUserKerberosFiles' request#033[0m
2018-04-10T14:19:50.746311-07:00 INFO authpolicyd[2950]: GetUserKerberosFiles succeeded
2018-04-10T14:19:50.746739-07:00 INFO authpolicyd[2950]: #033[41;1;97mReceived 'RefreshUserPolicy' request#033[0m
2018-04-10T14:19:55.969642-07:00 INFO authpolicyd[2950]: Getting user GPO list for user account
2018-04-10T14:20:04.274335-07:00 INFO authpolicyd[2950]: User policy fetch and parsing succeeded
2018-04-10T14:20:04.279232-07:00 INFO authpolicyd[2950]: All 1 calls to StoreUnsignedPolicyEx succeeded.
2018-04-10T14:26:20.538363-07:00 INFO authpolicyd[2950]: #033[41;1;97mReceived 'AuthenticateUser' request#033[0m
2018-04-10T14:26:28.419853-07:00 INFO authpolicyd[2950]: TGT RENEWAL - Scheduling renewal in 7h 59m 59s (valid for 9h 59m 59s, renewable for 167h 59m 59s)
2018-04-10T14:26:28.419925-07:00 INFO authpolicyd[2950]: Firing signal UserKerberosFilesChanged
2018-04-10T14:26:39.419525-07:00 INFO authpolicyd[2950]: AuthenticateUser succeeded
2018-04-10T14:26:39.420266-07:00 INFO authpolicyd[2950]: #033[41;1;97mReceived 'GetUserKerberosFiles' request#033[0m
2018-04-10T14:26:39.420685-07:00 INFO authpolicyd[2950]: GetUserKerberosFiles succeeded
localhost /var/log #

Chrome OS: 10452.52.0
Chrome: 66.0.3359.94
Device: Santa

Sign in to add a comment