[OpenAFS] Solaris 10 (x86): pam_afs_session

Douglas E. Engert deengert@anl.gov
Tue, 26 Feb 2008 14:51:29 -0600

Russ Allbery wrote:
> "Douglas E. Engert" <deengert@anl.gov> writes:
>> Doing some debugging on Solairs 10 (sparc), I thing *ONE* problem is in
>> the pam_afs_session where it uses WIFEXITED. I think it should use both
>> WIFEXITED(result) && WEXITSTATUS(result) == 0
> Oh, ugh, yes.  You're entirely correct.
>> The other problem is with Solaris 10. With the pam_krb5 and dtlogin
>> force the use of a user based cache i.e. krb5cc_%uid, if pam_afs_session
>> is called for a pam_open_session, it might find the previous contents of
>> a cache, as pam_setcred has not been called to store the cred, which
>> might result is a very short token lifetime.
> Unless you use the always_aklog option, pam_afs_session will do nothing
> unless KRB5CCNAME is set, precisely to avoid picking up old ticket caches
> like this using the default ticket cache name.

Turns out with the Solaris 10 pam_krb5, KRB5CCNAME is set.

For testing I used a script inplace of program=aklog, to dump the args,
environment, uid, gid, pid, ppid and groups and tokens before calling aklog.



  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444