[OpenAFS-devel] Get no token when su-ing with sudo

Frank Bagehorn FBA@zurich.ibm.com
Wed, 27 Mar 2002 19:13:34 +0100


It's the sudo that knows about the AFS, not the su.
As a non-root user I'm authenticating to AFS. (It's a larger environment 
with several administrators
and several hundred users. Authentication is done via NIS for user 
information and AFS for the
password. Home folders are in AFS. Works well and gives you a single 
sign-on under both AIX
and Linux.) So the sudo is asking for my non-root password (AFS password) 
and then checks
whether I'm allowed to do 'su' on that machine before it let's me in.

root is a local user on the machines, so I'm using the 'ignore_root' 
setting in the PAM configuration
already. I added now the 'refresh_tokens' option, but that doesn't change 
the behavior at all.
I still end up without a token after I typed in the password.

Frank

----------------------------------------------------------------------
Dr. Frank Bagehorn
IBM Zurich Research Lab.
Saeumerstr. 4
CH-8803 Rueschlikon 
Switzerland
----------------------------------------------------------------------
SMTP: fba@zurich.ibm.com
Notes: Frank Bagehorn/Zurich/IBM@IBMCH
phone: ++41 (01) 724 83 23  fax: ++41 (01) 724 89 59



Charles Clancy <security@xauth.net>
03/27/2002 18:08
Please respond to Charles Clancy

 
        To:     Frank Bagehorn/Zurich/IBM@IBMCH
        cc:     openafs-devel@openafs.org
        Subject:        Re: [OpenAFS-devel] Get no token when su-ing with sudo


> Your best bet, probably, is to change sudo to not create a PAG.
> I don't know the magic pam_afs incantation..  Perhaps -no-setpag?

There's no "no-setpag"; you have to use "refresh_tokens", so:
                 su auth sufficient /usr/lib/pam_afs.so.1 refresh_tokens

Of course, for su-ing to root, this would also work just as well:
                 su auth sufficient /usr/lib/pam_afs.so.1 ignore_root

I assume "su" is the one that knows about pam_afs, not "sudo" itself.
If all you are ever doing is sudo su-ing to root, why even have pam_afs
involved at all?  That password it's prompting you for -- is that sudo
asking for the password of some AFS user, or su asking you for the root
password?  If you're not authenticating to AFS, then get rid of pam_afs,
and your PAG problems will go away.

[ t charles clancy ]--[ tclancy@uiuc.edu ]--[ www.uiuc.edu/~tclancy ]