[OpenAFS-devel] Get no token when su-ing with sudo

[Charles Clancy]

> root is a local user on the machines, so I'm using the 'ignore_root'
> setting in the PAM configuration already. I added now the
> 'refresh_tokens' option, but that doesn't change the behavior at all.
> I still end up without a token after I typed in the password.

Okay -- it looks like a bug (or at least incompatability) with sudo.  The
sudo PAM client calls "pam_authenticate" on the AFS user authenticating,
but then calls "pam_setcred" and "pam_opensession" on the user you're
switching to.  PAM (at least the pam_afs module) isn't designed to
authenticate as one user, and then open a session for another.  You might
try further playing around with the "set_token" and "refresh_token"
options to the pam_afs module in the authentication phase.

In general, to make this work, sudo would need two PAM clients.  The
first, maybe using settings in /etc/pam.d/sudo-user1, would perform the
authentication and setcred.  Then perhaps use settings in
/etc/pam.d/sudo-user2 to do another setcred as the user you're switching
to, followed by an open_session.

It wouldn't be too hard to patch sudo's auth/pam.c to fix this problem,
however I suggest you try using its supported AFS or krb4 (or krb5!)
authentication mechanisms, because the PAM client seems pretty broken.

[ t charles clancy ]--[ tclancy@uiuc.edu ]--[ www.uiuc.edu/~tclancy ]