[OpenAFS] Solaris 10 11/06 afs 1.4.2 pam module panic.
Marcus Watts
mdw@umich.edu
Mon, 18 Dec 2006 20:42:24 -0500
Some more interesting experiments.
How about:
pagsh setpag
klog get k4 tickets via ka, settoken
?
This should be a close duplicate of what pam_afs does.
or
pagsh setpag
kinit get k5 tickets
aklog settoken
?
This isn't quite as close to what pam_afs does, and
it gets k5 tickets which might behave in interesting
different ways.
Or this:
sh
klog -setpag
?
This is particularly tricky; it should cause the equivalent
to "pagsh" to happen in the parent. I suppose at any point
I'm suspicious of setpag, if only because you don't mention
it and I can't think what else might be different between
just klog and what pam does.
These two parameters may alter pam operation in interesting ways:
use_klog
refresh_token
"use_klog" causes pam to invoke klog instead of calling
ka_UserAuthenticateGeneral
this "shouldn't" make a difference, but maybe it does.
"refresh_token" causes pam to not do setpag. This is the
moral equivalent of omitting "pagsh" or "-setpag" from the
above experiments.
It would be interesting to figure out how to run "truss"
on your errant su / pam interaction, but I'm not sure that
the interesting part at the very end will get printed
before the system panics.
The callback traces that you posted change; I'm guessing
most of that isn't relevant to the actual panic. I'm not
positive that this is so. If you've got some way to attach
a kernel debugger once it crashes, there is definitely
more to be learned.
-Marcus Watts