[OpenAFS] afs throws tokens away (linux)

FBO fbo2@gmx.net
Sun, 4 Aug 2002 10:32:16 +0200


Hi all,

On Fri, Aug 02, 2002 at 02:49:34PM +0200, Friedrich Delgado Friedrichs wrote:
[snip]
> > Is something else starting a session for the same uid that owns these
> > tokens?
> Uhm, i'm not sure what you mean by session. I usually run a lot of
> shells, and but they are all using the same krb5 credentials cache and
> (presumably) the same afs tokens.
> 
> If i log in at a different console, or via ssh, a new krb cc is used and
> the krb5 tokens and the afs token has a different expiry time than that
> >from the first "session", so i assume it is a different token.
> 
> I'm not sure how i could find out if "something else" is "starting a
> session for the same uid that owns these tokens".

AFAIK /var/log/auth.log will show any (Pam-)session that is started.



> Do you mean some sort of cronjob that authenticates with afs? On my home
> machine, procmail does this to write to my mailbox files, however at
> work i don't use such a setup.

Cron-Jobs are covered by auth.log, too.



> Or do you mean some process that does a "su" to my uid, without
> authenticating?

Do you mean processes doing setuid() ? This should not influence
other sessions because setuid() doesn't know anything about kerberos
or afs, only pam does. "su" itself uses pam but AFAIK it's no
good idea to have kerberos- or afs-modules in its pam-rules.



Best regards,

FBO