[OpenAFS-devel] pam_afs.krb.so.1 ticket file naming problem (from OpenAFS 1.2.1 on)

[Derrick J Brashear]

On Thu, 1 Nov 2001, Jaroslaw Polok wrote:

>  I recently saw a problem with kerberos ticket file
> naming: 
> 
>  all users logging (telnet) on a (linux) system get same 
>  ticket file name:
>  
>    /tmp/tkt0 
> 
>  thus subsequent logins overwrite other people
>  ticket file.
> 
> Looking at the code and following execution of call to
> pam_afs it seems that ktc_set_tkt_string(val) is not
> called before ktc_tkt_string() in the auth sequence and
> as the result ticket file name is always build from:
> 
> sprintf(krb_ticket_string, "%s%d",TKT_ROOT,getuid());
> 
> (within ktc_tkt_string())
> 
> which would always give /tmp/tkt0 as ticket file name ... 
> 
> This looks like a bug introduced somewhere in between
> OpenAFS 1.1.1 (where it was OK) and 1.2.1 (1.2.2 suffers
> from same problem too). ?

Previously the code in afs_auth.c which called ka_VerifyUserPassword
set KA_USERAUTH_DOSETPAG in addition to KA_USERAUTH_VERSION whereas now 
setpag() is called explicitly. I believe if after the calls to setpag() in 
afs_auth.c and afs_setcred.c you add:

#ifdef AFS_KERBEROS_ENV
	ktc_newpag();
#endif

and compile, it will fix your problem.