[OpenAFS] Token loss after su on linux 2.6

Russ Allbery rra@stanford.edu
Wed, 16 Aug 2006 12:18:44 -0700

Bob Hoffman <hoffman@cs.pitt.edu> writes:

> That was it.  I'm using the pam_afs.so module that came in
> openafs-client-1.4.1-rhel4.2.i386.rpm.
> In my /etc/pam.d/system_auth file, I had a "session" entry that called
> pam_afs.so.  Commenting
> that out allows the token to remain.  Now all I have to do is figure out
> what I broke by doing so.

> BTW, we're not running Kerberos 5 yet.  We still have the old AFS kaserver.

Indeed, it looks like the PAM module we currently distribute has that
problem.  It should really set some PAM session data during open_session
to say that it really did something and then only destroy tokens if that
flag is set, but I'm not sure how enthused anyone is about doing work on
the kaserver PAM modules at this point.  (Plus, it doesn't actually do
anything in open_session but instead does everything in auth, which is why
it doesn't work with privilege separation, but which is hard to fix given
the API it has to work with.)

Rather than disabling pam_afs session handling entirely, you probably just
want to put "no_unlog" on the option line for the session invocation of
that module.

Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>