[OpenAFS] afs throws tokens away (linux)

FBO fbo2@gmx.net
Sun, 4 Aug 2002 17:06:03 +0200


Hi afs-fans,


On Sun, Aug 04, 2002 at 02:38:00PM +0200, Friedrich Delgado Friedrichs wrote:
> Hi!
>
> FBO schrieb:
> &<
> > AFAIK /var/log/auth.log will show any (Pam-)session that is started.
> &<
> > Cron-Jobs are covered by auth.log, too.
> &<
> 
> Ok, i recall that the bug happened to me without any other pam-session
> being started. I did a "watch tokens" in a shell, listened to mp3s and
> edited a file in emacs, and the token disappeared.
> 
> Fortunately (for me), since i set up a second dbserver and a slave KDC
> at work, the bug did not happen to me anymore. We'll see what the next
> week brings. If this happens again, i'll look at the appropriate logs.
> 
> Am I correct in assuming that only pam-sessions throw away tokens automatically
> (i.e. other than typing "unlog" manually)? Are there other mechanisms
> leading to a token being discarded?
>
> > Do you mean processes doing setuid() ? This should not influence
> > other sessions because setuid() doesn't know anything about kerberos
> > or afs, only pam does. "su" itself uses pam but AFAIK it's no
> > good idea to have kerberos- or afs-modules in its pam-rules.
Please ignore my last sentence, it is not correct.

> 
> What if you want to su to an afs user? I don't see why that would be a
> bad idea. Anyways, there was no such thing while i was testing, so
> this is purely academic.
You're right.

Regards,

FBO