[OpenAFS] Token discarded after logout
Mon, 23 Oct 2006 13:41:07 -0600
Commenting out "session optional pam_openafs_session.so" worked!!! I am
able to login and out and not affect the tokens, plus the cron job is
not killing the tokens. Thanks for the quick response.
Douglas E. Engert wrote:
> Jared Smith wrote:
>> I am fairly new to openafs and have inherited an up and running
>> system. I am trying to move a setup from Suse 9.0 2.4.21-243-smp4G
>> to Kubuntu 6.06 Dapper 2.6.15-27-386. I am running an apache server
>> that houses documents on an afs volume. Currently on suse we are
>> running the reauth.pl script that was written by Martin Schulz and it
>> works perfectly, tokens are renewed and webserver has access to
>> documents on afs. However on my new setup I can get the script to
>> startup fine and obtain tokens but if I log into the shell as the
>> same user as my webserver then logout, the tokens get destroyed and
>> my webserver no longer has access to the docs on afs. Another thing
>> that kills the tokens is a cron job that runs every 10 minutes that
>> logs in as the webserver user does a few things then logs out.
>> I have spent some time googling this behavior and it appears that
>> either changes between the two different kernels or changes between
>> afs clients has caused an unlog anytime the user is logged out, where
>> in the past either by defect or by design the tokens were left
>> Does anyone have a suggestion on how to keep my token alive?
> Sounds like PAM used to get a PAG now it is not, and thus tokens
> are shared based on UID. In the short term if you are willing
> to live with per-user tokens, you could comment out:
> session optional pam_openafs_sesion.so
> as the token should have been gotten by the
> auth [default=done] pam_openafs_session.so
> as it is called by pam_sm_setcred. The call to
> pam_smclose_session is doing an unlog and deleting the
> user based token rather then the PAG based token.
> Its worth trying untill the PAG isuse is resolved.
> We are using somthing called pam_afs2.so that should not
> have this problem as it relies on a syscall or open
> of the /proc/fs/openafs/afs_ioctl to get a PAG rather
> then relying on the aklog -setpag option.
>> Here is how I have my pam modules set up.
>> account sufficient pam_krb5.so
>> account sufficient pam_ldap.so
>> account required pam_unix.so
>> auth required pam_nologin.so
>> auth [success=ok default=1] pam_krb5.so ignore_root debug
>> use_first_pass forwardable
>> auth [default=done] pam_openafs_session.so debug
>> auth required pam_unix.so nullok_secure try_first_pass
>> auth required pam_env.so
>> session optional pam_krb5.so
>> session optional pam_openafs_session.so
>> session optional pam_ldap.so
>> session required pam_unix.so
>> session optional pam_lastlog.so # 
>> session optional pam_motd.so # 
>> session required pam_limits.so
>> OpenAFS-info mailing list