[OpenAFS] Re: sometimes loosing token on su

Alexander 'Leo' Bergolth leo@strike.wu-wien.ac.at
Mon, 23 Feb 2009 12:12:55 +0100


On 02/11/2009 07:03 PM, Alexander 'Leo' Bergolth wrote:
> First of all: Yes, I have disabled pam_keyinit.so. :-)
> 
> I am experiencing a very strange problem:
> 
> On my workstation, switching to root using "su -" (or just su) normally
> works fine.
> However sometimes, when trying to "su" in a long running shell, I'm
> loosing my token. (See the example 1 below.)
> 
> Logging in via ssh and then doing "su -" works fine though. (See example 2).
> 
> It looks like there is something wrong with my PAG since after getting a
> new PAG and a token from within the broken PAG, "su -" keeps my token
> again. (Example 3)

I am still suffering from that problem.
Any ideas how I could debug that?

Maybe the problem is that sometimes the token get erroneously attached
to the user and not to the PAG? (In those broken PAGs, doing su leads to
loosing the token but exiting from su brings the token back again.

Is there a way to check, if the token is attached to a PAG?

Cheers,
--leo

> Even doing kinit and aklog -force (before doing su -) doesn't help.
> 
> Syslog-output with pam_krb5.so debug enabled doesn't show anything
> suspecting. (See below.) Even commenting out pam_krb5.so just for the su
> doesn't help.
> 
> Any hints?
> 
> Thanks,
> --leo
> 
> P.S.: I'm using openafs-1.4.8-30.fc10.i386 on Fedora 10 (kernel
> 2.6.27.9-159.fc10.i686.PAE).
> 
> -------------------- Example 1 --------------------
> [bergolth@ariel ~]$ tokens
> 
> Tokens held by the Cache Manager:
> 
> User's (AFS ID 5020) tokens for afs@wu-wien.ac.at [Expires Feb 12 15:57]
>    --End of list--
> 
> [bergolth@ariel ~]$ id -G
> 3000 10 107 500 501 1098248117
> 
> [bergolth@ariel ~]$ keyctl show
> Session Keyring
>        -3 --alswrv      0  3000  keyring: _ses.4114
> 480068621 ----s--v      0     0   \_ afs_pag: _pag
> 
> [bergolth@ariel ~]$ su -
> 
> [root@ariel ~]# tokens
> 
> Tokens held by the Cache Manager:
> 
>    --End of list--
> 
> [root@ariel ~]# id -G
> 0 1 2 3 4 6 10
> 
> [root@ariel ~]# keyctl show
> Session Keyring
>        -3 --alswrv      0  3000  keyring: _ses.4114
> 480068621 ----s--v      0     0   \_ afs_pag: _pag
> ---------------------------------------------------
> 
> -------------------- Example 2 --------------------
> [bergolth@ariel ~]$ ssh bergolth@ariel
> 
> [bergolth@ariel:~]$ tokens
> 
> Tokens held by the Cache Manager:
> 
> Tokens for afs@wu-wien.ac.at [Expires Feb 12 15:57]
>    --End of list--
> 
> [bergolth@ariel:~]$ id -G
> 3000 10 107 500 501 1098248255
> 
> [bergolth@ariel:~]$ keyctl show
> Session Keyring
>        -3 --alswrv      0     0  keyring: _ses.13949
> 851940785 ----s--v      0     0   \_ afs_pag: _pag
> 
> [bergolth@ariel:~]$ su -
> 
> [root@ariel ~]# tokens
> 
> Tokens held by the Cache Manager:
> 
> Tokens for afs@wu-wien.ac.at [Expires Feb 12 15:57]
>    --End of list--
> 
> [root@ariel ~]# id -G
> 0 1 2 3 4 6 10
> 
> [root@ariel ~]# keyctl show
> Session Keyring
>        -3 --alswrv      0     0  keyring: _ses.13949
> 851940785 ----s--v      0     0   \_ afs_pag: _pag
> ---------------------------------------------------
> 
> -------------------- Example 3 --------------------
> [bergolth@ariel ~]$ id -G
> 3000 10 107 500 501 1098248117
> 
> [bergolth@ariel ~]$ keyctl show
> Session Keyring
>        -3 --alswrv      0  3000  keyring: _ses.4114
> 480068621 ----s--v      0     0   \_ afs_pag: _pag
> 
> [bergolth@ariel ~]$ pagsh
> 
> sh-3.2$ id -G
> 3000 10 107 500 501 1098248260
> 
> sh-3.2$ keyctl show
> Session Keyring
>        -3 --alswrv   5020  3000  keyring: _ses.14509
> 808791921 ----s--v      0     0   \_ afs_pag: _pag
> 
> sh-3.2$ aklog
> 
> sh-3.2$ tokens
> 
> Tokens held by the Cache Manager:
> 
> User's (AFS ID 5020) tokens for afs@wu-wien.ac.at [Expires Feb 12 19:49]
>    --End of list--
> 
> sh-3.2$ su -
> 
> [root@ariel ~]# tokens
> 
> Tokens held by the Cache Manager:
> 
> User's (AFS ID 5020) tokens for afs@wu-wien.ac.at [Expires Feb 12 19:49]
>    --End of list--
> ---------------------------------------------------
> 
> -------------------- Syslog 1 --------------------
> Feb 11 18:18:49 ariel su: pam_unix(su-l:session): session opened for
> user root by bergolth(uid=5020)
> Feb 11 18:18:49 ariel su: pam_krb5[13573]: default/local realm
> 'WU-WIEN.AC.AT'
> Feb 11 18:18:49 ariel su: pam_krb5[13573]: configured realm 'WU-WIEN.AC.AT'
> Feb 11 18:18:49 ariel su: pam_krb5[13573]: flag: debug
> Feb 11 18:18:49 ariel su: pam_krb5[13573]: flags: forwardable
> Feb 11 18:18:49 ariel su: pam_krb5[13573]: flag: no ignore_afs
> Feb 11 18:18:49 ariel su: pam_krb5[13573]: flag: no null_afs
> Feb 11 18:18:49 ariel su: pam_krb5[13573]: flag: user_check
> Feb 11 18:18:49 ariel su: pam_krb5[13573]: flag: no krb4_convert
> Feb 11 18:18:49 ariel su: pam_krb5[13573]: flag: krb4_convert_524
> Feb 11 18:18:49 ariel su: pam_krb5[13573]: flag: krb4_use_as_req
> Feb 11 18:18:49 ariel su: pam_krb5[13573]: will try previously set
> password first
> Feb 11 18:18:49 ariel su: pam_krb5[13573]: will ask for a password if
> that fails
> Feb 11 18:18:49 ariel su: pam_krb5[13573]: will let libkrb5 ask questions
> Feb 11 18:18:49 ariel su: pam_krb5[13573]: flag: no use_shmem
> Feb 11 18:18:49 ariel su: pam_krb5[13573]: flag: external
> Feb 11 18:18:49 ariel su: pam_krb5[13573]: flag: warn
> Feb 11 18:18:49 ariel su: pam_krb5[13573]: ticket lifetime: 0s (0d,0h,0m,0s)
> Feb 11 18:18:49 ariel su: pam_krb5[13573]: renewable lifetime: 0s
> (0d,0h,0m,0s)
> Feb 11 18:18:49 ariel su: pam_krb5[13573]: banner: Kerberos 5
> Feb 11 18:18:49 ariel su: pam_krb5[13573]: ccache dir: /tmp
> Feb 11 18:18:49 ariel su: pam_krb5[13573]: ccname template:
> FILE:%d/krb5cc_%U_XXXXXX
> Feb 11 18:18:49 ariel su: pam_krb5[13573]: keytab: FILE:/etc/krb5.keytab
> Feb 11 18:18:49 ariel su: pam_krb5[13573]: token strategy: v4,524,2b,rxk5
> Feb 11 18:18:49 ariel su: pam_krb5[13573]: checking for
> externally-obtained v5 credentials
> Feb 11 18:18:49 ariel su: pam_krb5[13573]: KRB5CCNAME is not set, none found
> Feb 11 18:18:49 ariel su: pam_krb5[13573]: no v5 creds for user 'root',
> skipping session setup
> Feb 11 18:18:49 ariel su: pam_krb5[13573]: pam_open_session returning 0
> (Success)
> --------------------------------------------------
> 
> 
> -------------------- Syslog 2 --------------------
> Feb 11 18:26:31 ariel su: pam_unix(su-l:session): session opened for
> user root by bergolth(uid=5020)
> Feb 11 18:26:31 ariel su: pam_krb5[14103]: default/local realm
> 'WU-WIEN.AC.AT'
> Feb 11 18:26:31 ariel su: pam_krb5[14103]: configured realm 'WU-WIEN.AC.AT'
> Feb 11 18:26:31 ariel su: pam_krb5[14103]: flag: debug
> Feb 11 18:26:31 ariel su: pam_krb5[14103]: flags: forwardable
> Feb 11 18:26:31 ariel su: pam_krb5[14103]: flag: no ignore_afs
> Feb 11 18:26:31 ariel su: pam_krb5[14103]: flag: no null_afs
> Feb 11 18:26:31 ariel su: pam_krb5[14103]: flag: user_check
> Feb 11 18:26:31 ariel su: pam_krb5[14103]: flag: no krb4_convert
> Feb 11 18:26:31 ariel su: pam_krb5[14103]: flag: krb4_convert_524
> Feb 11 18:26:31 ariel su: pam_krb5[14103]: flag: krb4_use_as_req
> Feb 11 18:26:31 ariel su: pam_krb5[14103]: will try previously set
> password first
> Feb 11 18:26:31 ariel su: pam_krb5[14103]: will ask for a password if
> that fails
> Feb 11 18:26:31 ariel su: pam_krb5[14103]: will let libkrb5 ask questions
> Feb 11 18:26:31 ariel su: pam_krb5[14103]: flag: no use_shmem
> Feb 11 18:26:31 ariel su: pam_krb5[14103]: flag: external
> Feb 11 18:26:31 ariel su: pam_krb5[14103]: flag: warn
> Feb 11 18:26:31 ariel su: pam_krb5[14103]: ticket lifetime: 0s (0d,0h,0m,0s)
> Feb 11 18:26:31 ariel su: pam_krb5[14103]: renewable lifetime: 0s
> (0d,0h,0m,0s)
> Feb 11 18:26:31 ariel su: pam_krb5[14103]: banner: Kerberos 5
> Feb 11 18:26:31 ariel su: pam_krb5[14103]: ccache dir: /tmp
> Feb 11 18:26:31 ariel su: pam_krb5[14103]: ccname template:
> FILE:%d/krb5cc_%U_XXXXXX
> Feb 11 18:26:31 ariel su: pam_krb5[14103]: keytab: FILE:/etc/krb5.keytab
> Feb 11 18:26:31 ariel su: pam_krb5[14103]: token strategy: v4,524,2b,rxk5
> Feb 11 18:26:31 ariel su: pam_krb5[14103]: checking for
> externally-obtained v5 credentials
> Feb 11 18:26:31 ariel su: pam_krb5[14103]: KRB5CCNAME is not set, none found
> Feb 11 18:26:31 ariel su: pam_krb5[14103]: no v5 creds for user 'root',
> skipping session setup
> Feb 11 18:26:31 ariel su: pam_krb5[14103]: pam_open_session returning 0
> (Success)
> --------------------------------------------------
> 


-- 
e-mail   ::: Leo.Bergolth (at) wu-wien.ac.at
fax      ::: +43-1-31336-906050
location ::: IT-Services | Vienna University of Economics | Austria