[OpenAFS] Re: sometimes loosing token on su

Harald Barth haba@kth.se
Mon, 23 Feb 2009 12:36:08 +0100 (CET)

> Maybe the problem is that sometimes the token get erroneously attached
> to the user and not to the PAG? 

Sometimes you want it, sometimes not. From the man page of heimdal rshd(8):

     -P      When using the AFS filesystem, users' authentication tokens are
             put in something called a PAG (Process Authentication Group).
             Multiple processes can share a PAG, but normally each login ses-
             sion has its own PAG. This option disables the setpag() call, so
             all tokens will be put in the default (uid-based) PAG, making it
             possible to share tokens between sessions. This is only useful in
             peculiar environments, such as some batch systems.

Looks like we are peculiar.

> (In those broken PAGs, doing su leads to
> loosing the token but exiting from su brings the token back again.

Which leads me to believe that in this case you are using uid based pags.

> Is there a way to check, if the token is attached to a PAG?


$ ssh -Y -l haba -K -o GSSAPIKeyExchange=yes ekman '/usr/heimdal/bin/klist -T ; groups'
Credentials cache: FILE:/tmp/krb5cc_d23246
        Principal: haba@NADA.KTH.SE

  Issued           Expires          Principal
Feb 23 12:31:47  Feb 24 09:34:11  krbtgt/NADA.KTH.SE@NADA.KTH.SE
Feb 23 12:31:48  Feb 24 09:34:11  afs/pdc.kth.se@NADA.KTH.SE
Feb 23 12:31:48  Feb 24 09:34:11  afs@NADA.KTH.SE

Feb 23 12:31:48  Feb 24 09:34:11  User's (AFS ID 22421) tokens for nada.kth.se
Feb 23 12:31:48  Feb 24 09:34:11  User's (AFS ID 22421) tokens for pdc.kth.se
gopher 1098410290
id: cannot find name for group ID 1098410290

This is OS and Linux-version dependent. Here
(2.6.18-92.1.13.el5.centos.plus), the strange group number is the PAG-ID.