[OpenAFS] Token loss after su on linux 2.6
Russ Allbery
rra@stanford.edu
Wed, 16 Aug 2006 10:05:08 -0700
Bob Hoffman <hoffman@cs.pitt.edu> writes:
> I'm having the following problem on our Red Hat Enterprise 4 systems
> using the 2.6 kernel -- after exiting from a 'su' session, my token is
> gone. This did not occur under the 2.4 kernel.
> 2. Red Hat Enterprise 4. The token acquired at login is retained in
> the su session but is discarded upon leaving that session.
> arsenic:1 % uname -a
> Linux arsenic.cs.pitt.edu 2.6.9-34.0.2.ELsmp #1 SMP Fri Jun 30 10:33:58
> EDT 2006 i686 i686 i386 GNU/Linux
> arsenic:2 % cat /etc/redhat-release
> Red Hat Enterprise Linux WS release 4 (Nahant Update 3)
> arsenic:3 % strings /usr/vice/etc/afsd |grep OpenAFS
> @(#) OpenAFS 1.4.1 built 2006-04-19
> arsenic:4 % tokens
> Tokens held by the Cache Manager:
> User's (AFS ID 46) tokens for afs@cs.pitt.edu [Expires Aug 17 13:57]
> --End of list--
> arsenic:5 % su
> Password:
> Setting erase to ^?
> arsenic:1 # tokens
> Tokens held by the Cache Manager:
> User's (AFS ID 46) tokens for afs@cs.pitt.edu [Expires Aug 17 13:57]
> --End of list--
> arsenic:2 # exit
> exit
> arsenic:6 % tokens
> Tokens held by the Cache Manager:
> --End of list--
My guess is that you have a PAM module on that system that understands AFS
and which is therefore blowing away your tokens in pam_close_session,
which is probably being called by su when you exit. It really shouldn't
be doing this unless pam_open_session obtained new tokens, but heaven
knows I've written PAM modules with that problem too. I believe Red Hat
added AFS support (via Heimdal krbafs) to their K5 PAM module between RHEL
3 and RHEL 4.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>