[OpenAFS] uw-imap & tokens

[David Howells]

Jeffrey Hutzelman <jhutz@cmu.edu> wrote:

> No; it gets allocated by AFS as part of the setpag operation.  Of course, the
> setpag may be being called by a PAM module, but that should be fairly
> irrelevant.
> 
> Without having looked at this in much detail, I'll hazard a guess as to what's
> going on.  I'll bet the PAG (and thus the key) are created while sshd is still
> UID 0, and thus are being charged against UID 0's quota.

That'd be my bet too.  I suspect that the PAM module (if that's what it is)
that issued setpag occurs before the pam_keyinit PAM module also.

> If this is the case, I would suggest not applying keyring quotas to UID 0;
> if root wants to exhaust all the resources the machine has to offer, so be
> it.

That's not a good solution.  The afs_pag gets attached to the root user's
default session keyring, displacing any afs_pag that was previously there.

What does the setpag code look like?

David