[OpenAFS] Re: sometimes loosing token on su

Alexander 'Leo' Bergolth leo@strike.wu-wien.ac.at
Tue, 24 Feb 2009 12:15:47 +0100 

Hi!

On 02/23/2009 11:39 PM, Sergio Gelato wrote:
> * Alexander 'Leo' Bergolth [2009-02-23 12:12:55 +0100]:
>> On 02/11/2009 07:03 PM, Alexander 'Leo' Bergolth wrote:
>>> First of all: Yes, I have disabled pam_keyinit.so. :-)
>>>
>>> I am experiencing a very strange problem:
>>>
>>> On my workstation, switching to root using "su -" (or just su) normally
>>> works fine.
>>> However sometimes, when trying to "su" in a long running shell, I'm
>>> loosing my token. (See the example 1 below.)
>>>
>>> Logging in via ssh and then doing "su -" works fine though. (See example 2).
>>>
>>> It looks like there is something wrong with my PAG since after getting a
>>> new PAG and a token from within the broken PAG, "su -" keeps my token
>>> again. (Example 3)
>> I am still suffering from that problem.
>> Any ideas how I could debug that?
[...]
> I just tried with a 2.6.26 kernel (Debian 5.0) and couldn't reproduce
> this behaviour. Depending on /etc/pam.d/su I either keep the same PAG
> and tokens or get into a new PAG which keyctl reports as such. Either
> way, the behaviour is as I would expect and unlike the one you report.

The funny thing is:
1) ssh'ing to the same account and doing su from there also produces the
expected results.
2) after restarting the X-Session, su'ing also works for some time
(maybe for the lifetime of a token?) Reauthentication currently is done
either manually via klog or with pam_krb5 called by kscreensaver.

I'll try to reproduce these tests by logging in via ssh and
reauthenticating via klog after the token had expired...

> I've had to apply some post-1.4.8 patches to OpenAFS because that 2.6.28 
> kernel is really 2.6.28.3 and needs the "2.6.29" patch; they were
> 	STABLE14-libuafs-updates-20081229
> 	STABLE14-linux-truncate-race-20090109
> 	STABLE14-linux-i-size-20090112
> 	STABLE14-linux-2629-20090115
>  
> Can you reproduce the problem when su is configured not to call pam_krb5
> at all?

Yes. I've commented out both pam_krb5 and pam_keyinit. Same results.

> How about when you su to the same user instead of to root? (If you were
> PAGless, this ought to work. I don't think you are, but it's an easy
> test.)

Thats a good point. su'ing to the same user also doesn't work:

[bergolth@ariel ~]$ su bergolth
bash: /afs/wu-wien.ac.at/home/edvz/bergolth/.bashrc: Permission denied
bash-3.2$

[bergolth@ariel ~]$ sudo -u bergolth bash
bash: /afs/wu-wien.ac.at/home/edvz/bergolth/.bashrc: Permission denied
bash-3.2$

This disproves my theory of the User-ID attached token...

Cheers,
--leo
-- 
e-mail   ::: Leo.Bergolth (at) wu-wien.ac.at
fax      ::: +43-1-31336-906050
location ::: IT-Services | Vienna University of Economics | Austria