[OpenAFS] Re: sometimes loosing token on su

Sergio Gelato Sergio.Gelato@astro.su.se
Mon, 23 Feb 2009 23:39:19 +0100 

* Alexander 'Leo' Bergolth [2009-02-23 12:12:55 +0100]:
> On 02/11/2009 07:03 PM, Alexander 'Leo' Bergolth wrote:
> > First of all: Yes, I have disabled pam_keyinit.so. :-)
> > 
> > I am experiencing a very strange problem:
> > 
> > On my workstation, switching to root using "su -" (or just su) normally
> > works fine.
> > However sometimes, when trying to "su" in a long running shell, I'm
> > loosing my token. (See the example 1 below.)
> > 
> > Logging in via ssh and then doing "su -" works fine though. (See example 2).
> > 
> > It looks like there is something wrong with my PAG since after getting a
> > new PAG and a token from within the broken PAG, "su -" keeps my token
> > again. (Example 3)
> 
> I am still suffering from that problem.
> Any ideas how I could debug that?
> 
> Maybe the problem is that sometimes the token get erroneously attached
> to the user and not to the PAG? (In those broken PAGs, doing su leads to
> loosing the token but exiting from su brings the token back again.
> 
> Is there a way to check, if the token is attached to a PAG?

Just did a few tests (important caveat: I used kernel 2.6.18, not 2.6.27)
and here is what a PAGless session looks like:
$ keyctl show
Session Keyring
       -3 --alswrv   1000    -1  keyring: _uid_ses.1000
950991447 --alswrv   1000    -1   \_ keyring: _uid.1000
 
> > Syslog-output with pam_krb5.so debug enabled doesn't show anything
> > suspecting. (See below.) Even commenting out pam_krb5.so just for the su
> > doesn't help.
> > 
> > Any hints?
> > 
> > Thanks,
> > --leo
> > 
> > P.S.: I'm using openafs-1.4.8-30.fc10.i386 on Fedora 10 (kernel
> > 2.6.27.9-159.fc10.i686.PAE).
> > 
> > -------------------- Example 1 --------------------
> > [bergolth@ariel ~]$ tokens
> > 
> > Tokens held by the Cache Manager:
> > 
> > User's (AFS ID 5020) tokens for afs@wu-wien.ac.at [Expires Feb 12 15:57]
> >    --End of list--
> > 
> > [bergolth@ariel ~]$ id -G
> > 3000 10 107 500 501 1098248117
> > 
> > [bergolth@ariel ~]$ keyctl show
> > Session Keyring
> >        -3 --alswrv      0  3000  keyring: _ses.4114
> > 480068621 ----s--v      0     0   \_ afs_pag: _pag
> > 
> > [bergolth@ariel ~]$ su -
> > 
> > [root@ariel ~]# tokens
> > 
> > Tokens held by the Cache Manager:
> > 
> >    --End of list--
> > 
> > [root@ariel ~]# id -G
> > 0 1 2 3 4 6 10
> > 
> > [root@ariel ~]# keyctl show
> > Session Keyring
> >        -3 --alswrv      0  3000  keyring: _ses.4114
> > 480068621 ----s--v      0     0   \_ afs_pag: _pag
> > ---------------------------------------------------

I just tried with a 2.6.26 kernel (Debian 5.0) and couldn't reproduce
this behaviour. Depending on /etc/pam.d/su I either keep the same PAG
and tokens or get into a new PAG which keyctl reports as such. Either
way, the behaviour is as I would expect and unlike the one you report.

Same thing with a 2.6.28 kernel (Debian 2.6.28-1~experimental.1~snapshot.12721)

I've had to apply some post-1.4.8 patches to OpenAFS because that 2.6.28 
kernel is really 2.6.28.3 and needs the "2.6.29" patch; they were
	STABLE14-libuafs-updates-20081229
	STABLE14-linux-truncate-race-20090109
	STABLE14-linux-i-size-20090112
	STABLE14-linux-2629-20090115
 
Can you reproduce the problem when su is configured not to call pam_krb5
at all?

How about when you su to the same user instead of to root? (If you were
PAGless, this ought to work. I don't think you are, but it's an easy
test.)