[OpenAFS] Token discarded after logout

Jared Smith sjaredj@rfpdepot.com
Mon, 23 Oct 2006 13:41:07 -0600 

Douglas,

Commenting out "session optional pam_openafs_session.so" worked!!!  I am 
able to login and out and not affect the tokens, plus the cron job is 
not killing the tokens.  Thanks for the quick response.

Jared

Douglas E. Engert wrote:
>
>
> Jared Smith wrote:
>
>> I am fairly new to openafs and have inherited an up and running 
>> system.  I am trying to move a setup from Suse 9.0 2.4.21-243-smp4G 
>> to Kubuntu 6.06 Dapper 2.6.15-27-386.  I am running an apache server 
>> that houses documents on an afs volume.  Currently on suse we are 
>> running the reauth.pl script that was written by Martin Schulz and it 
>> works perfectly, tokens are renewed and webserver has access to 
>> documents on afs.  However on my new setup I can get the script to 
>> startup fine and obtain tokens but if I log into the shell as the 
>> same user as my webserver then logout, the tokens get destroyed and 
>> my webserver no longer has access to the docs on afs.  Another thing 
>> that kills the tokens is a cron job that runs every 10 minutes that 
>> logs in as the webserver user does a few things then logs out.
>> I have spent some time googling this behavior and it appears that 
>> either changes between the two different kernels or changes between 
>> afs clients has caused an unlog anytime the user is logged out, where 
>> in the past either by defect or by design the tokens were left 
>> untouched.
>> Does anyone have a suggestion on how to keep my token alive?
>
> Sounds like PAM used to get a PAG now it is not, and thus tokens
> are shared based on UID. In the short term if you are willing
> to live with per-user tokens, you could comment out:
>
> session optional pam_openafs_sesion.so
>
> as the token should have been gotten by the
> auth [default=done] pam_openafs_session.so
> as it is called by pam_sm_setcred.  The call to
> pam_smclose_session is doing an unlog and deleting the
> user based token rather then the PAG based token.
>
> Its worth trying untill the PAG isuse is resolved.
>
>
> We are using somthing called pam_afs2.so that should not
> have this problem as it relies on a syscall or open
> of the /proc/fs/openafs/afs_ioctl to get a PAG rather
> then relying on the aklog -setpag option.
>
>
>>
>> Here is how I have my pam modules set up.
>>
>> account         sufficient      pam_krb5.so
>> account         sufficient      pam_ldap.so
>> account         required        pam_unix.so
>>
>> auth    required                pam_nologin.so
>> auth    [success=ok default=1]  pam_krb5.so ignore_root debug 
>> use_first_pass forwardable
>> auth    [default=done]          pam_openafs_session.so debug
>> auth    required                pam_unix.so nullok_secure try_first_pass
>> auth    required                pam_env.so
>>
>> session         optional        pam_krb5.so
>> session         optional        pam_openafs_session.so
>> session         optional        pam_ldap.so
>> session         required        pam_unix.so
>> session         optional        pam_lastlog.so # [1]
>> session         optional        pam_motd.so # [1]
>> session         required        pam_limits.so
>>
>> Thanks,
>> Jared
>>
>> _______________________________________________
>> OpenAFS-info mailing list
>> OpenAFS-info@openafs.org
>> https://lists.openafs.org/mailman/listinfo/openafs-info
>>
>>
>