[OpenAFS] Changed behaviour (?) in client kernel module.
Mon, 01 Dec 2014 17:37:11 +0100
Some years ago (around 2008) I did setup a SMB to AFS gateway like this
- samba configured to use Kerberos for client auth
- when user authenticated, use root preexec with kimpersonate to get an
- The token was set to the uid, PAGs were not used.
This worked actually wery well.
Anyway, we have just tried to do the same again, but this time it do not
work at all.
Some debugging shows that a token is created to the uid, and su:ing to
that uid works, but smbd gets permission denied.
strace of smbd shows this:
setregid(4294967295, 513) = 0
getegid() = 513
setreuid(4294967295, 14431) = 0
geteuid() = 14431
chdir("/afs/ltu.se/staff/all/ragge") = -1 EACCES (Permission denied)
which obviously tells that the access after setreuid() isn't allowed.
Any hint what may have changed or where to continue to search for this