[OpenAFS-devel] klog (the kaserver kind) and PAGs on x86_64

Simon Wilkinson sxw@inf.ed.ac.uk
Thu, 3 Jan 2008 12:04:58 +0000


On 3 Jan 2008, at 11:47, Atro Tossavainen wrote:

> Can somebody please explain to me why a "klog -setpag account" does
> not produce a token on CentOS 4.6 x86_64?  "klog account" does  
> generate
> a token, without a PAG (so root su'ing to the user gets it).  Logging
> in via pam_afs.so does (and "groups" shows the two anon groups, and
> root su'ing to the user does not get the token).

It's to do with the way that PAGs are created in each of these cases.  
When you run klog -setpag, you have a process tree that looks like  
shell->klog (so, when klog exits, control returns to the shell) - in  
order to be able to set the PAG, klog must change the PAG of its  
parent process. Both finding the identity of the parent process, and  
then forcing it into a particular PAG, requires all sorts of kernel  
fiddling which doesn't work on some kernels and architectures. By  
contrast, when you log in and use a PAM module, then PAG is created  
by the module itself, so the login (or ssh, or ...) process ends up  
in that PAG, and the child just inherits the PAG from its parent.

In addition, there are some odd bugs with the ways in which aklog - 
setpag doesn't work on some Linux variants - RT #57154 has more details.

Simon.