[OpenAFS] sometimes loosing token on su
Alexander 'Leo' Bergolth
leo@strike.wu-wien.ac.at
Wed, 11 Feb 2009 19:03:51 +0100
Hi!
First of all: Yes, I have disabled pam_keyinit.so. :-)
I am experiencing a very strange problem:
On my workstation, switching to root using "su -" (or just su) normally
works fine.
However sometimes, when trying to "su" in a long running shell, I'm
loosing my token. (See the example 1 below.)
Logging in via ssh and then doing "su -" works fine though. (See example 2).
It looks like there is something wrong with my PAG since after getting a
new PAG and a token from within the broken PAG, "su -" keeps my token
again. (Example 3)
Even doing kinit and aklog -force (before doing su -) doesn't help.
Syslog-output with pam_krb5.so debug enabled doesn't show anything
suspecting. (See below.) Even commenting out pam_krb5.so just for the su
doesn't help.
Any hints?
Thanks,
--leo
P.S.: I'm using openafs-1.4.8-30.fc10.i386 on Fedora 10 (kernel
2.6.27.9-159.fc10.i686.PAE).
-------------------- Example 1 --------------------
[bergolth@ariel ~]$ tokens
Tokens held by the Cache Manager:
User's (AFS ID 5020) tokens for afs@wu-wien.ac.at [Expires Feb 12 15:57]
--End of list--
[bergolth@ariel ~]$ id -G
3000 10 107 500 501 1098248117
[bergolth@ariel ~]$ keyctl show
Session Keyring
-3 --alswrv 0 3000 keyring: _ses.4114
480068621 ----s--v 0 0 \_ afs_pag: _pag
[bergolth@ariel ~]$ su -
[root@ariel ~]# tokens
Tokens held by the Cache Manager:
--End of list--
[root@ariel ~]# id -G
0 1 2 3 4 6 10
[root@ariel ~]# keyctl show
Session Keyring
-3 --alswrv 0 3000 keyring: _ses.4114
480068621 ----s--v 0 0 \_ afs_pag: _pag
---------------------------------------------------
-------------------- Example 2 --------------------
[bergolth@ariel ~]$ ssh bergolth@ariel
[bergolth@ariel:~]$ tokens
Tokens held by the Cache Manager:
Tokens for afs@wu-wien.ac.at [Expires Feb 12 15:57]
--End of list--
[bergolth@ariel:~]$ id -G
3000 10 107 500 501 1098248255
[bergolth@ariel:~]$ keyctl show
Session Keyring
-3 --alswrv 0 0 keyring: _ses.13949
851940785 ----s--v 0 0 \_ afs_pag: _pag
[bergolth@ariel:~]$ su -
[root@ariel ~]# tokens
Tokens held by the Cache Manager:
Tokens for afs@wu-wien.ac.at [Expires Feb 12 15:57]
--End of list--
[root@ariel ~]# id -G
0 1 2 3 4 6 10
[root@ariel ~]# keyctl show
Session Keyring
-3 --alswrv 0 0 keyring: _ses.13949
851940785 ----s--v 0 0 \_ afs_pag: _pag
---------------------------------------------------
-------------------- Example 3 --------------------
[bergolth@ariel ~]$ id -G
3000 10 107 500 501 1098248117
[bergolth@ariel ~]$ keyctl show
Session Keyring
-3 --alswrv 0 3000 keyring: _ses.4114
480068621 ----s--v 0 0 \_ afs_pag: _pag
[bergolth@ariel ~]$ pagsh
sh-3.2$ id -G
3000 10 107 500 501 1098248260
sh-3.2$ keyctl show
Session Keyring
-3 --alswrv 5020 3000 keyring: _ses.14509
808791921 ----s--v 0 0 \_ afs_pag: _pag
sh-3.2$ aklog
sh-3.2$ tokens
Tokens held by the Cache Manager:
User's (AFS ID 5020) tokens for afs@wu-wien.ac.at [Expires Feb 12 19:49]
--End of list--
sh-3.2$ su -
[root@ariel ~]# tokens
Tokens held by the Cache Manager:
User's (AFS ID 5020) tokens for afs@wu-wien.ac.at [Expires Feb 12 19:49]
--End of list--
---------------------------------------------------
-------------------- Syslog 1 --------------------
Feb 11 18:18:49 ariel su: pam_unix(su-l:session): session opened for
user root by bergolth(uid=5020)
Feb 11 18:18:49 ariel su: pam_krb5[13573]: default/local realm
'WU-WIEN.AC.AT'
Feb 11 18:18:49 ariel su: pam_krb5[13573]: configured realm 'WU-WIEN.AC.AT'
Feb 11 18:18:49 ariel su: pam_krb5[13573]: flag: debug
Feb 11 18:18:49 ariel su: pam_krb5[13573]: flags: forwardable
Feb 11 18:18:49 ariel su: pam_krb5[13573]: flag: no ignore_afs
Feb 11 18:18:49 ariel su: pam_krb5[13573]: flag: no null_afs
Feb 11 18:18:49 ariel su: pam_krb5[13573]: flag: user_check
Feb 11 18:18:49 ariel su: pam_krb5[13573]: flag: no krb4_convert
Feb 11 18:18:49 ariel su: pam_krb5[13573]: flag: krb4_convert_524
Feb 11 18:18:49 ariel su: pam_krb5[13573]: flag: krb4_use_as_req
Feb 11 18:18:49 ariel su: pam_krb5[13573]: will try previously set
password first
Feb 11 18:18:49 ariel su: pam_krb5[13573]: will ask for a password if
that fails
Feb 11 18:18:49 ariel su: pam_krb5[13573]: will let libkrb5 ask questions
Feb 11 18:18:49 ariel su: pam_krb5[13573]: flag: no use_shmem
Feb 11 18:18:49 ariel su: pam_krb5[13573]: flag: external
Feb 11 18:18:49 ariel su: pam_krb5[13573]: flag: warn
Feb 11 18:18:49 ariel su: pam_krb5[13573]: ticket lifetime: 0s (0d,0h,0m,0s)
Feb 11 18:18:49 ariel su: pam_krb5[13573]: renewable lifetime: 0s
(0d,0h,0m,0s)
Feb 11 18:18:49 ariel su: pam_krb5[13573]: banner: Kerberos 5
Feb 11 18:18:49 ariel su: pam_krb5[13573]: ccache dir: /tmp
Feb 11 18:18:49 ariel su: pam_krb5[13573]: ccname template:
FILE:%d/krb5cc_%U_XXXXXX
Feb 11 18:18:49 ariel su: pam_krb5[13573]: keytab: FILE:/etc/krb5.keytab
Feb 11 18:18:49 ariel su: pam_krb5[13573]: token strategy: v4,524,2b,rxk5
Feb 11 18:18:49 ariel su: pam_krb5[13573]: checking for
externally-obtained v5 credentials
Feb 11 18:18:49 ariel su: pam_krb5[13573]: KRB5CCNAME is not set, none found
Feb 11 18:18:49 ariel su: pam_krb5[13573]: no v5 creds for user 'root',
skipping session setup
Feb 11 18:18:49 ariel su: pam_krb5[13573]: pam_open_session returning 0
(Success)
--------------------------------------------------
-------------------- Syslog 2 --------------------
Feb 11 18:26:31 ariel su: pam_unix(su-l:session): session opened for
user root by bergolth(uid=5020)
Feb 11 18:26:31 ariel su: pam_krb5[14103]: default/local realm
'WU-WIEN.AC.AT'
Feb 11 18:26:31 ariel su: pam_krb5[14103]: configured realm 'WU-WIEN.AC.AT'
Feb 11 18:26:31 ariel su: pam_krb5[14103]: flag: debug
Feb 11 18:26:31 ariel su: pam_krb5[14103]: flags: forwardable
Feb 11 18:26:31 ariel su: pam_krb5[14103]: flag: no ignore_afs
Feb 11 18:26:31 ariel su: pam_krb5[14103]: flag: no null_afs
Feb 11 18:26:31 ariel su: pam_krb5[14103]: flag: user_check
Feb 11 18:26:31 ariel su: pam_krb5[14103]: flag: no krb4_convert
Feb 11 18:26:31 ariel su: pam_krb5[14103]: flag: krb4_convert_524
Feb 11 18:26:31 ariel su: pam_krb5[14103]: flag: krb4_use_as_req
Feb 11 18:26:31 ariel su: pam_krb5[14103]: will try previously set
password first
Feb 11 18:26:31 ariel su: pam_krb5[14103]: will ask for a password if
that fails
Feb 11 18:26:31 ariel su: pam_krb5[14103]: will let libkrb5 ask questions
Feb 11 18:26:31 ariel su: pam_krb5[14103]: flag: no use_shmem
Feb 11 18:26:31 ariel su: pam_krb5[14103]: flag: external
Feb 11 18:26:31 ariel su: pam_krb5[14103]: flag: warn
Feb 11 18:26:31 ariel su: pam_krb5[14103]: ticket lifetime: 0s (0d,0h,0m,0s)
Feb 11 18:26:31 ariel su: pam_krb5[14103]: renewable lifetime: 0s
(0d,0h,0m,0s)
Feb 11 18:26:31 ariel su: pam_krb5[14103]: banner: Kerberos 5
Feb 11 18:26:31 ariel su: pam_krb5[14103]: ccache dir: /tmp
Feb 11 18:26:31 ariel su: pam_krb5[14103]: ccname template:
FILE:%d/krb5cc_%U_XXXXXX
Feb 11 18:26:31 ariel su: pam_krb5[14103]: keytab: FILE:/etc/krb5.keytab
Feb 11 18:26:31 ariel su: pam_krb5[14103]: token strategy: v4,524,2b,rxk5
Feb 11 18:26:31 ariel su: pam_krb5[14103]: checking for
externally-obtained v5 credentials
Feb 11 18:26:31 ariel su: pam_krb5[14103]: KRB5CCNAME is not set, none found
Feb 11 18:26:31 ariel su: pam_krb5[14103]: no v5 creds for user 'root',
skipping session setup
Feb 11 18:26:31 ariel su: pam_krb5[14103]: pam_open_session returning 0
(Success)
--------------------------------------------------
--
e-mail ::: Leo.Bergolth (at) wu-wien.ac.at
fax ::: +43-1-31336-906050
location ::: IT-Services | Vienna University of Economics | Austria