[OpenAFS] Solaris 10 (x86): pam_afs_session
Douglas E. Engert
deengert@anl.gov
Tue, 26 Feb 2008 14:51:29 -0600
Russ Allbery wrote:
> "Douglas E. Engert" <deengert@anl.gov> writes:
>
>> Doing some debugging on Solairs 10 (sparc), I thing *ONE* problem is in
>> the pam_afs_session where it uses WIFEXITED. I think it should use both
>> WIFEXITED(result) && WEXITSTATUS(result) == 0
>
> Oh, ugh, yes. You're entirely correct.
>
>> The other problem is with Solaris 10. With the pam_krb5 and dtlogin
>> force the use of a user based cache i.e. krb5cc_%uid, if pam_afs_session
>> is called for a pam_open_session, it might find the previous contents of
>> a cache, as pam_setcred has not been called to store the cred, which
>> might result is a very short token lifetime.
>
> Unless you use the always_aklog option, pam_afs_session will do nothing
> unless KRB5CCNAME is set, precisely to avoid picking up old ticket caches
> like this using the default ticket cache name.
Turns out with the Solaris 10 pam_krb5, KRB5CCNAME is set.
For testing I used a script inplace of program=aklog, to dump the args,
environment, uid, gid, pid, ppid and groups and tokens before calling aklog.
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444