[OpenAFS] Token discarded after logout
Douglas E. Engert
Mon, 23 Oct 2006 13:02:57 -0500
Jared Smith wrote:
> I am fairly new to openafs and have inherited an up and running system.
> I am trying to move a setup from Suse 9.0 2.4.21-243-smp4G to Kubuntu
> 6.06 Dapper 2.6.15-27-386. I am running an apache server that houses
> documents on an afs volume. Currently on suse we are running the
> reauth.pl script that was written by Martin Schulz and it works
> perfectly, tokens are renewed and webserver has access to documents on
> afs. However on my new setup I can get the script to startup fine and
> obtain tokens but if I log into the shell as the same user as my
> webserver then logout, the tokens get destroyed and my webserver no
> longer has access to the docs on afs. Another thing that kills the
> tokens is a cron job that runs every 10 minutes that logs in as the
> webserver user does a few things then logs out.
> I have spent some time googling this behavior and it appears that either
> changes between the two different kernels or changes between afs clients
> has caused an unlog anytime the user is logged out, where in the past
> either by defect or by design the tokens were left untouched.
> Does anyone have a suggestion on how to keep my token alive?
Sounds like PAM used to get a PAG now it is not, and thus tokens
are shared based on UID. In the short term if you are willing
to live with per-user tokens, you could comment out:
session optional pam_openafs_sesion.so
as the token should have been gotten by the
auth [default=done] pam_openafs_session.so
as it is called by pam_sm_setcred. The call to
pam_smclose_session is doing an unlog and deleting the
user based token rather then the PAG based token.
Its worth trying untill the PAG isuse is resolved.
We are using somthing called pam_afs2.so that should not
have this problem as it relies on a syscall or open
of the /proc/fs/openafs/afs_ioctl to get a PAG rather
then relying on the aklog -setpag option.
> Here is how I have my pam modules set up.
> account sufficient pam_krb5.so
> account sufficient pam_ldap.so
> account required pam_unix.so
> auth required pam_nologin.so
> auth [success=ok default=1] pam_krb5.so ignore_root debug
> use_first_pass forwardable
> auth [default=done] pam_openafs_session.so debug
> auth required pam_unix.so nullok_secure try_first_pass
> auth required pam_env.so
> session optional pam_krb5.so
> session optional pam_openafs_session.so
> session optional pam_ldap.so
> session required pam_unix.so
> session optional pam_lastlog.so # 
> session optional pam_motd.so # 
> session required pam_limits.so
> OpenAFS-info mailing list
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439