[OpenAFS] Token discarded after logout

Jared Smith sjaredj@rfpdepot.com
Mon, 23 Oct 2006 11:21:59 -0600

I am fairly new to openafs and have inherited an up and running system.  
I am trying to move a setup from Suse 9.0 2.4.21-243-smp4G to Kubuntu 
6.06 Dapper 2.6.15-27-386.  I am running an apache server that houses 
documents on an afs volume.  Currently on suse we are running the 
reauth.pl script that was written by Martin Schulz and it works 
perfectly, tokens are renewed and webserver has access to documents on 
afs.  However on my new setup I can get the script to startup fine and 
obtain tokens but if I log into the shell as the same user as my 
webserver then logout, the tokens get destroyed and my webserver no 
longer has access to the docs on afs.  Another thing that kills the 
tokens is a cron job that runs every 10 minutes that logs in as the 
webserver user does a few things then logs out. 

I have spent some time googling this behavior and it appears that either 
changes between the two different kernels or changes between afs clients 
has caused an unlog anytime the user is logged out, where in the past 
either by defect or by design the tokens were left untouched. 

Does anyone have a suggestion on how to keep my token alive?

Here is how I have my pam modules set up.

account         sufficient      pam_krb5.so
account         sufficient      pam_ldap.so
account         required        pam_unix.so

auth    required                pam_nologin.so
auth    [success=ok default=1]  pam_krb5.so ignore_root debug 
use_first_pass forwardable
auth    [default=done]          pam_openafs_session.so debug
auth    required                pam_unix.so nullok_secure try_first_pass
auth    required                pam_env.so

session         optional        pam_krb5.so
session         optional        pam_openafs_session.so
session         optional        pam_ldap.so
session         required        pam_unix.so
session         optional        pam_lastlog.so # [1]
session         optional        pam_motd.so # [1]
session         required        pam_limits.so