[OpenAFS] Solaris 10 11/06 afs 1.4.2 pam module panic.

Russ Allbery rra@stanford.edu
Mon, 18 Dec 2006 17:49:39 -0800

Marcus Watts <mdw@umich.edu> writes:

> Some more interesting experiments.
> How about:
> 	pagsh		setpag
> 	klog		get k4 tickets via ka, settoken
> 		?
> This should be a close duplicate of what pam_afs does.

pam_afs currently does the equivalent of:

    sh -c 'klog -setpag'

unless you explicitly tell it not to fork.  I wonder if the -setpag may be
part of the problem here, as you say:

> Or this:
> 	sh
> 	klog -setpag
> 		?
> This is particularly tricky; it should cause the equivalent
> to "pagsh" to happen in the parent.  I suppose at any point
> I'm suspicious of setpag, if only because you don't mention
> it and I can't think what else might be different between
> just klog and what pam does.


> These two parameters may alter pam operation in interesting ways:
> 	use_klog
> 	refresh_token
> "use_klog" causes pam to invoke klog instead of calling
> 	ka_UserAuthenticateGeneral
> this "shouldn't" make a difference, but maybe it does.

dont_fork is the most interesting option here to me, since that prevents
the PAM module from doing the -setpag thing.

Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>