[OpenAFS-devel] PAG missing after SSH login
Simon Wilkinson
sxw@inf.ed.ac.uk
Fri, 7 Nov 2008 16:11:30 +0000
On 6 Nov 2008, at 15:35, Carsten Jacobi wrote:
>
> So, in case I understand the group concept of AFS correctly, the
> setgroups
> ()
> system call must be intercepted by the AFS client in order to
> preserve the
> PAG-ID that would otherwise be removed with the setgroups() sys call.
This is true if you are using group based PAGs. On Linux kernels
which have keyring support enabled, keyrings are used to propagate
PAG information across initgroups - the setgroups syscall no longer
needs to be hooked for these kernels.
It's possible that the kernel you are running has been compiled
without keyring support, or that something in your PAM stack is
resetting the PAG that has been created by the AFS module (there's a
keyinit module which can cause this to happen)
> Does the AFS client for Linux work without the AFS system call?
Yes, it does. On Linux, the AFS system call has been replaced with a
special file in /proc/openafs, on which ioctl operations are performed.
> The problem I see here is that the condition strikes so early that no
> header file
> that could bring in the variable is included and so the whole c-
> source is
> ignored.
This problem was fixed by linux-probe-syscall-table-again-20080703 -
the fix will be in 1.4.8
> For me it seems the AFS system call has somewhat become obsolete,
> but the
> setgroups() interception is still necessary to make openafs a
> reasonable
> solution for everybody who wants to use AFS on login servers.
In future, I think it's likely that keyrings are going to be required
in order to get decent PAG support. This is already true on some
platforms, where the entire syscall table is read only, and even if
we can find it, we can't patch it.
Cheers,
Simon.