[OpenAFS] PAGs in Ubuntu Karmic
Frank Burkhardt
fbo2@gmx.net
Thu, 5 Nov 2009 20:55:51 +0100
Hi,
On Thu, Nov 05, 2009 at 08:12:35AM +0000, Simon Wilkinson wrote:
>
> On 5 Nov 2009, at 06:20, Russ Allbery wrote:
> >
> >I suspect that what you're seeing is that AFS uses keyrings with current
> >kernels instead of GID-based PAGs to accomplish the same purposes. The
> >AFS part works the way it always has, but the supplemental groups may not
> >show up as GIDs.
>
> Currently, we always push the supplemental groups in the users additional group list - so even
> when keyring based PAGs are in use, you should see the additional entries.
>
> >But it's hard to be sure without more details on what you mean by "not
> >working any more."
I meant "Explicitly opening a new PAG as user".
>
> Indeed. One option (and this is a shot in the dark) is that it's a PAM issue. If Ubuntu have
> started using pam_keyinit, then it's vital that this is run before any AFS PAM module.
> Otherwise, pam_keyinit will happily replace AFS's keyring with its own.
Keyring's fine, I think. There's a session wide PAG in place:
$ keyctl show
Session Keyring
-3 --alswrv 0 65534 keyring: _ses.2711
52561941 ----s--v 0 0 \_ afs_pag: _pag
Here's an example:
$ kinit frank
Password for frank@ALPHA:
$ aklog
$ tokens
Tokens held by the Cache Manager:
User's (AFS ID 1000) tokens for afs@alpha [Expires Nov 6 22:35]
--End of list--
$ bash
$ kinit afstest
Password for afstest@ALPHA:
$ aklog -setpag
Tokens held by the Cache Manager:
User's (AFS ID 1097) tokens for afs@alpha [Expires Nov 6 22:36]
--End of list--
$ exit
$ tokens
Tokens held by the Cache Manager:
User's (AFS ID 1097) tokens for afs@alpha [Expires Nov 6 22:36]
--End of list--
I expected to be in a different PAG when the second "tokens" is executed.
But I'm not. When the subshell is left, I end up with the token of the
subshell.
Since I use non-default PAM-files (the same I'm using on my debian
machines), I don't think it's an PAM issue but a kernel or aklog one.
Best,
Frank