[OpenAFS] Re: sometimes loosing token on su
Harald Barth
haba@kth.se
Mon, 23 Feb 2009 12:36:08 +0100 (CET)
> Maybe the problem is that sometimes the token get erroneously attached
> to the user and not to the PAG?
Sometimes you want it, sometimes not. From the man page of heimdal rshd(8):
-P When using the AFS filesystem, users' authentication tokens are
put in something called a PAG (Process Authentication Group).
Multiple processes can share a PAG, but normally each login ses-
sion has its own PAG. This option disables the setpag() call, so
all tokens will be put in the default (uid-based) PAG, making it
possible to share tokens between sessions. This is only useful in
peculiar environments, such as some batch systems.
Looks like we are peculiar.
> (In those broken PAGs, doing su leads to
> loosing the token but exiting from su brings the token back again.
Which leads me to believe that in this case you are using uid based pags.
> Is there a way to check, if the token is attached to a PAG?
Hm...
$ ssh -Y -l haba -K -o GSSAPIKeyExchange=yes ekman '/usr/heimdal/bin/klist -T ; groups'
Credentials cache: FILE:/tmp/krb5cc_d23246
Principal: haba@NADA.KTH.SE
Issued Expires Principal
Feb 23 12:31:47 Feb 24 09:34:11 krbtgt/NADA.KTH.SE@NADA.KTH.SE
Feb 23 12:31:48 Feb 24 09:34:11 afs/pdc.kth.se@NADA.KTH.SE
Feb 23 12:31:48 Feb 24 09:34:11 afs@NADA.KTH.SE
Feb 23 12:31:48 Feb 24 09:34:11 User's (AFS ID 22421) tokens for nada.kth.se
Feb 23 12:31:48 Feb 24 09:34:11 User's (AFS ID 22421) tokens for pdc.kth.se
gopher 1098410290
id: cannot find name for group ID 1098410290
This is OS and Linux-version dependent. Here
(2.6.18-92.1.13.el5.centos.plus), the strange group number is the PAG-ID.
Harald.