[OpenAFS] AFS && Apache

Tino Schwarze tino.schwarze@informatik.tu-chemnitz.de
Wed, 15 May 2002 11:10:36 +0200


On Wed, May 15, 2002 at 10:45:16AM +0200, Turbo Fredriksson wrote:

>     >> So it seems that 'aklog' don't use the KRB5CCNAME variable, and
>     >> that I get the token in the user shell...
> 
>     Russ> If you're using a K5 aklog
> 
> I do...
> 
> But destroying the ticket, deleting the cache file, I still have 
> a token.. (at least 'tokens' say so).

This is because the token is stored _in kernel_ (managed by the
appropiate AFS part of the kernel). The token is either associated to a
UID or to a PAG (process authentication group).

A PAG is a set of two group IDs (somewhere in the range of 32000-60000,
don't know it exactly now) which act like a magic cookie and are
inherited by _any_ child process.  Using PAGs (e.g. by issuing "klog
-setpag") is the safest way to use tokens since a simple "su $user" does
not give you the token.

IIRC there is no simple way to get rid of a PAG but to create a new one.
This way, you can have multiple shells with different tokens.

As stated by others, the Kerberos TGT is only used to get the token and
is not used any more later.

HTH! Tino.

-- 
             * LINUX - Where do you want to be tomorrow? *
                  http://www.tu-chemnitz.de/linux/tag/