[OpenAFS] Odd tokens behavior on RHEL

Booker Bense bbense@gmail.com
Tue, 20 Nov 2012 14:21:56 -0800


--047d7b6d911066405b04cef4a9f3
Content-Type: text/plain; charset=ISO-8859-1

This is pretty much standard behavior on RHEL. IMHO, I prefer the version
w/o the uid since it's can often be a lie. This can be really confusing
when using ssh and GSSAPI to login to role accounts.

We use a handy little perl script called qtoken to find out what uid is
REALLY in your token.


On Tue, Nov 20, 2012 at 9:50 AM, Brandon Allbery <allbery.b@gmail.com>wrote:

> On Tue, Nov 20, 2012 at 12:43 PM, Michael Meffie <mmeffie@sinenomine.net>wrote:
>
>> I haven't looked into this yet, but I happened to notice (only yesterday),
>> that if I run aklog with the -noprdb option, the same thing occurs, that
>> is a token is set, but not listed by `tokens'. Perhaps a clue.
>>
>
> I see it listed but without an AFS ID; this is inevitable as the only way
> to get the AFS ID (which functionally is a comment) is to query the prdb.
>
> This does suggest that the prdb is not being queried for some reason, or
> the query is silently failing.  Since it's not functionally required,
> failure of the query may well not be reported as such.
>
> --
> brandon s allbery kf8nh                               sine nomine
> associates
> allbery.b@gmail.com
> ballbery@sinenomine.net
> unix/linux, openafs, kerberos, infrastructure
> http://sinenomine.net
>
>

--047d7b6d911066405b04cef4a9f3
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

This is pretty much standard behavior on RHEL. IMHO, I prefer the version w=
/o the uid since it&#39;s can often be a lie. This can be really confusing =
when using ssh and GSSAPI to login to role accounts.=A0<div><br></div><div>
We use a handy little perl script called qtoken to find out what uid is REA=
LLY in your token.=A0</div><div class=3D"gmail_extra"><br><br><div class=3D=
"gmail_quote">On Tue, Nov 20, 2012 at 9:50 AM, Brandon Allbery <span dir=3D=
"ltr">&lt;<a href=3D"mailto:allbery.b@gmail.com" target=3D"_blank">allbery.=
b@gmail.com</a>&gt;</span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex"><div dir=3D"ltr"><div class=3D"im">On Tue, N=
ov 20, 2012 at 12:43 PM, Michael Meffie <span dir=3D"ltr">&lt;<a href=3D"ma=
ilto:mmeffie@sinenomine.net" target=3D"_blank">mmeffie@sinenomine.net</a>&g=
t;</span> wrote:<br>
</div><div class=3D"gmail_quote"><div class=3D"im"><blockquote class=3D"gma=
il_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-lef=
t:1ex">
<div>I haven&#39;t looked into this yet, but I happened to notice (only yes=
terday),</div>
that if I run aklog with the -noprdb option, the same thing occurs, that<br=
>
is a token is set, but not listed by `tokens&#39;. Perhaps a clue.<br></blo=
ckquote><div><br></div></div><div>I see it listed but without an AFS ID; th=
is is inevitable as the only way to get the AFS ID (which functionally is a=
 comment) is to query the prdb.</div>

<div><br></div><div>This does suggest that the prdb is not being queried fo=
r some reason, or the query is silently failing. =A0Since it&#39;s not func=
tionally required, failure of the query may well not be reported as such.</=
div>
<span class=3D"HOEnZb"><font color=3D"#888888">
<div><br></div></font></span></div><span class=3D"HOEnZb"><font color=3D"#8=
88888">-- <br><div dir=3D"ltr"><div>brandon s allbery kf8nh =A0 =A0 =A0 =A0=
 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 sine nomine associates</div><d=
iv><a href=3D"mailto:allbery.b@gmail.com" target=3D"_blank">allbery.b@gmail=
.com</a> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =
=A0<a href=3D"mailto:ballbery@sinenomine.net" target=3D"_blank">ballbery@si=
nenomine.net</a></div>

<div>unix/linux, openafs, kerberos, infrastructure =A0 =A0 =A0 =A0 =A0<a hr=
ef=3D"http://sinenomine.net" target=3D"_blank">http://sinenomine.net</a></d=
iv></div><br>
</font></span></div>
</blockquote></div><br></div>

--047d7b6d911066405b04cef4a9f3--