[OpenAFS] Token discarded after logout

Douglas E. Engert deengert@anl.gov
Mon, 23 Oct 2006 13:02:57 -0500 

Jared Smith wrote:

> I am fairly new to openafs and have inherited an up and running system.  
> I am trying to move a setup from Suse 9.0 2.4.21-243-smp4G to Kubuntu 
> 6.06 Dapper 2.6.15-27-386.  I am running an apache server that houses 
> documents on an afs volume.  Currently on suse we are running the 
> reauth.pl script that was written by Martin Schulz and it works 
> perfectly, tokens are renewed and webserver has access to documents on 
> afs.  However on my new setup I can get the script to startup fine and 
> obtain tokens but if I log into the shell as the same user as my 
> webserver then logout, the tokens get destroyed and my webserver no 
> longer has access to the docs on afs.  Another thing that kills the 
> tokens is a cron job that runs every 10 minutes that logs in as the 
> webserver user does a few things then logs out.
> I have spent some time googling this behavior and it appears that either 
> changes between the two different kernels or changes between afs clients 
> has caused an unlog anytime the user is logged out, where in the past 
> either by defect or by design the tokens were left untouched.
> Does anyone have a suggestion on how to keep my token alive?

Sounds like PAM used to get a PAG now it is not, and thus tokens
are shared based on UID. In the short term if you are willing
to live with per-user tokens, you could comment out:

session optional pam_openafs_sesion.so

as the token should have been gotten by the
auth [default=done] pam_openafs_session.so
as it is called by pam_sm_setcred.  The call to
pam_smclose_session is doing an unlog and deleting the
user based token rather then the PAG based token.

Its worth trying untill the PAG isuse is resolved.


We are using somthing called pam_afs2.so that should not
have this problem as it relies on a syscall or open
of the /proc/fs/openafs/afs_ioctl to get a PAG rather
then relying on the aklog -setpag option.


> 
> Here is how I have my pam modules set up.
> 
> account         sufficient      pam_krb5.so
> account         sufficient      pam_ldap.so
> account         required        pam_unix.so
> 
> auth    required                pam_nologin.so
> auth    [success=ok default=1]  pam_krb5.so ignore_root debug 
> use_first_pass forwardable
> auth    [default=done]          pam_openafs_session.so debug
> auth    required                pam_unix.so nullok_secure try_first_pass
> auth    required                pam_env.so
> 
> session         optional        pam_krb5.so
> session         optional        pam_openafs_session.so
> session         optional        pam_ldap.so
> session         required        pam_unix.so
> session         optional        pam_lastlog.so # [1]
> session         optional        pam_motd.so # [1]
> session         required        pam_limits.so
> 
> Thanks,
> Jared
> 
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
> 
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444