[OpenAFS] Solaris 10 11/06 afs 1.4.2 pam module panic.
Russ Allbery
rra@stanford.edu
Mon, 18 Dec 2006 17:49:39 -0800
Marcus Watts <mdw@umich.edu> writes:
> Some more interesting experiments.
> How about:
> pagsh setpag
> klog get k4 tickets via ka, settoken
> ?
> This should be a close duplicate of what pam_afs does.
pam_afs currently does the equivalent of:
pagsh
sh -c 'klog -setpag'
unless you explicitly tell it not to fork. I wonder if the -setpag may be
part of the problem here, as you say:
> Or this:
> sh
> klog -setpag
> ?
> This is particularly tricky; it should cause the equivalent
> to "pagsh" to happen in the parent. I suppose at any point
> I'm suspicious of setpag, if only because you don't mention
> it and I can't think what else might be different between
> just klog and what pam does.
Ayup.
> These two parameters may alter pam operation in interesting ways:
> use_klog
> refresh_token
> "use_klog" causes pam to invoke klog instead of calling
> ka_UserAuthenticateGeneral
> this "shouldn't" make a difference, but maybe it does.
dont_fork is the most interesting option here to me, since that prevents
the PAM module from doing the -setpag thing.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>