[OpenAFS] Problems between group-based PAGs and linux kernel keyrings

Dr A V Le Blanc Dr A V Le Blanc <LeBlanc@mcc.ac.uk>
Wed, 17 Jun 2009 09:35:36 +0100

When I was at Stanford earlier this month I reported in private
conversation that the behaviour of PAGs and kernel keyrings was
odd on some recent kernels.  (I thought this was to Derrick
Brashear, but it may not have been.)

Here for instance is a problem with a machine running,
with kernel module based on 1.4.10 with Russ Albery's Debian patches.
The user space utilities are also 1.4.10.  The machine is running
Debian lenny.

I log in under gdm, which knows nothing of afs, and in a window,
I get a new PAG.  'keyctl show' shows that the session number for
the afs_pag has changed.  I am also careful to have a randomised name
for my kerberos credentials file.  In this new PAG I kinit and run aklog.
I now have tokens.

I open a new window, which should not be in the same PAG, and type
'tokens'.  I have tokens!  Somehow my PAG has got taken over by the
window manager, or so it appears.  In the past, with group-based
PAGs, this could not happen.  Now it seems my credentials can wander
out of the process and the PAG into which I tried to isolate them.

Is this expected behaviour?  I would not have thought so.

Also, someone at Stanford said that it is possible to compile openafs
in such a way that it tries to rely completely on the new keyrings,
disabling the special AFS groups.  Is this true?  How is it done?
And will this (probably not) make a difference to my difficulty?

     -- Owen