[OpenAFS] screen loses tokens - Solaris 10
Jeff Blaine
jblaine@kickflop.net
Mon, 15 Aug 2011 15:58:58 -0400
On 8/15/2011 3:34 PM, Russ Allbery wrote:
> Jeff Blaine<jblaine@kickflop.net> writes:
>
>> How might I go about debugging this? This happens on a host with
>> Generic_142900-03 but not on a host with Generic_144488-17 (nor ever on
>> this latter host at any patch rev -- I have been using/resuming screen
>> on it for years).
>
>> 1. Connect to host with PuTTY
>> 2. Confirm krb5 creds and tokens gotten from PAM
>> 3. Start screen
>> 4. Confirm krb5 creds and tokens in screen shell
>> 5. Close PuTTY, "Yes, disconnect"
>> 6. Connect to host with PuTTY
>> 7. Confirm krb5 creds and tokens gotten from PAM
>> 8. Resume screen session
>> 9. Tokens and krb5 creds in screen shell are gone
>
> When you log out of the session from which you started screen, PAM will
> destroy your AFS tokens. If you don't want PAM to destroy AFS tokens on
> session close, you need to give the retain_after_close option to
> pam-afs-session and pam-krb5.
Thanks Russ (and Kevin!). Both hosts are using that option.
Identical /etc/pam.conf and /etc/krb5.conf files on both
the working and failing hosts.
login session optional pam_krb5RA.so minimum_uid=92 retain_after_close
I'll play around though.