[OpenAFS] Token discarded after logout
Jared Smith
sjaredj@rfpdepot.com
Mon, 23 Oct 2006 11:21:59 -0600
I am fairly new to openafs and have inherited an up and running system.
I am trying to move a setup from Suse 9.0 2.4.21-243-smp4G to Kubuntu
6.06 Dapper 2.6.15-27-386. I am running an apache server that houses
documents on an afs volume. Currently on suse we are running the
reauth.pl script that was written by Martin Schulz and it works
perfectly, tokens are renewed and webserver has access to documents on
afs. However on my new setup I can get the script to startup fine and
obtain tokens but if I log into the shell as the same user as my
webserver then logout, the tokens get destroyed and my webserver no
longer has access to the docs on afs. Another thing that kills the
tokens is a cron job that runs every 10 minutes that logs in as the
webserver user does a few things then logs out.
I have spent some time googling this behavior and it appears that either
changes between the two different kernels or changes between afs clients
has caused an unlog anytime the user is logged out, where in the past
either by defect or by design the tokens were left untouched.
Does anyone have a suggestion on how to keep my token alive?
Here is how I have my pam modules set up.
account sufficient pam_krb5.so
account sufficient pam_ldap.so
account required pam_unix.so
auth required pam_nologin.so
auth [success=ok default=1] pam_krb5.so ignore_root debug
use_first_pass forwardable
auth [default=done] pam_openafs_session.so debug
auth required pam_unix.so nullok_secure try_first_pass
auth required pam_env.so
session optional pam_krb5.so
session optional pam_openafs_session.so
session optional pam_ldap.so
session required pam_unix.so
session optional pam_lastlog.so # [1]
session optional pam_motd.so # [1]
session required pam_limits.so
Thanks,
Jared