[OpenAFS] afs throws tokens away (linux)

Friedrich Delgado Friedrichs 6delgado@informatik.uni-hamburg.de
Sun, 4 Aug 2002 14:38:00 +0200


--ZoaI/ZTpAVc4A5k6
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi!

FBO schrieb:
&<
> AFAIK /var/log/auth.log will show any (Pam-)session that is started.
&<
> Cron-Jobs are covered by auth.log, too.
&<

Ok, i recall that the bug happened to me without any other pam-session
being started. I did a "watch tokens" in a shell, listened to mp3s and
edited a file in emacs, and the token disappeared.

Fortunately (for me), since i set up a second dbserver and a slave KDC
at work, the bug did not happen to me anymore. We'll see what the next
week brings. If this happens again, i'll look at the appropriate logs.

Am I correct in assuming that only pam-sessions throw away tokens automatic=
ally
(i.e. other than typing "unlog" manually)? Are there other mechanisms
leading to a token being discarded?

> Do you mean processes doing setuid() ? This should not influence
> other sessions because setuid() doesn't know anything about kerberos
> or afs, only pam does. "su" itself uses pam but AFAIK it's no
> good idea to have kerberos- or afs-modules in its pam-rules.

What if you want to su to an afs user? I don't see why that would be a
bad idea. Anyways, there was no such thing while i was testing, so
this is purely academic.

Kind regards
     Friedel
--=20
	Friedrich Delgado Friedrichs <friedel@nomaden.org>
Laziness led to the invention of the most useful tools.

--ZoaI/ZTpAVc4A5k6
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iEYEARECAAYFAj1NICcACgkQCTmCEtF2zEANhQCfTT5lZKAnd66PnxFxCIHbzO58
ui4AoLDAIJQigXmAZ5GGY2IVTYzGVBS9
=J5hZ
-----END PGP SIGNATURE-----

--ZoaI/ZTpAVc4A5k6--