[OpenAFS] Solaris 8, dtlogin and ~/.dt/session/lastsession
Charles Clancy
security@xauth.net
Fri, 9 Nov 2001 17:30:10 -0600 (CST)
> > After 3 years of my users putting up with this annoyance (one faculty
> > member bothered me at least once a month about it), I finally tracked the
> > problem to ~/.dt/session/lastsession, as you seem to have done. The
> > easiest thing to do is:
>
> Just curious if you're experiencing this problem with openafs or Transarc.
> I've not had this problem (with transarc afs on Sol7 and 8), and I would
> think that dtlogin would call pam_setcred() before doing anything in ~/.dt
I experienced it in the following environments:
Solaris 2.6 / Transarc AFS 3.4a
Solaris 7 32-bit / Transarc AFS 3.5
Solaris 7 64-bit / OpenAFS 1.0.2 (+/- 0.0.1)
Solaris 8 64-bit / OpenAFS 1.0.4
I fixed the problem after moving to OpenAFS, if I recall correctly.
In fact, dtlogin checks for your window manager settings after you type
your username, but before you type your password. There's absolutely no
way it could have a token at that time. If you'll notice, the window
manager choice appears on the screen asking for your password (if it has
it saved) and displays the apropriate logo. If no saved choice is
accessible, it leaves the Solaris logo and prompts you for a window
manager after you successfully authenticate.
I have seen dtlogin remember the window manager choice on occasion --
usually if I log in as root, get an admin token without setpaging, and
then exit my session. The root user still has an admin token, even though
root isn't logged in (since I didn't setpag, it's using UID to identify
processes with access to the token). Then, dtlogin running as root is
able to access users' ~/.dt directories. Of course, that only lasts 25
hours, before the token expires, and logins return to normal.
--
t. charles clancy <> tclancy@uiuc.edu <> www.uiuc.edu/~tclancy