[OpenAFS] screen loses tokens - Solaris 10

Jeff Blaine jblaine@kickflop.net
Mon, 15 Aug 2011 15:58:58 -0400

On 8/15/2011 3:34 PM, Russ Allbery wrote:
> Jeff Blaine<jblaine@kickflop.net>  writes:
>> How might I go about debugging this?  This happens on a host with
>> Generic_142900-03 but not on a host with Generic_144488-17 (nor ever on
>> this latter host at any patch rev -- I have been using/resuming screen
>> on it for years).
>> 1. Connect to host with PuTTY
>> 2. Confirm krb5 creds and tokens gotten from PAM
>> 3. Start screen
>> 4. Confirm krb5 creds and tokens in screen shell
>> 5. Close PuTTY, "Yes, disconnect"
>> 6. Connect to host with PuTTY
>> 7. Confirm krb5 creds and tokens gotten from PAM
>> 8. Resume screen session
>> 9. Tokens and krb5 creds in screen shell are gone
> When you log out of the session from which you started screen, PAM will
> destroy your AFS tokens.  If you don't want PAM to destroy AFS tokens on
> session close, you need to give the retain_after_close option to
> pam-afs-session and pam-krb5.

Thanks Russ (and Kevin!).  Both hosts are using that option.

Identical /etc/pam.conf and /etc/krb5.conf files on both
the working and failing hosts.

     login session optional pam_krb5RA.so minimum_uid=92 retain_after_close

I'll play around though.