[OpenAFS] Changed behaviour (?) in client kernel module.

Anders Magnusson ragge@ltu.se
Mon, 01 Dec 2014 17:37:11 +0100

Some years ago (around 2008) I did setup a SMB to AFS gateway like this 
(on RedHat):

- samba configured to use Kerberos for client auth
- when user authenticated, use root preexec with kimpersonate to get an 
AFS token
- The token was set to the uid, PAGs were not used.

This worked actually wery well.

Anyway, we have just tried to do the same again, but this time it do not 
work at all.
Some debugging shows that a token is created to the uid, and su:ing to 
that uid works, but smbd gets permission denied.

strace of smbd shows this:

setregid(4294967295, 513)               = 0

getegid()                               = 513

setreuid(4294967295, 14431)             = 0

geteuid()                               = 14431

chdir("/afs/ltu.se/staff/all/ragge")   = -1 EACCES (Permission denied)

which obviously tells that the access after setreuid() isn't allowed.

Any hint what may have changed or where to continue to search for this 

OpenAFS 1.6.10
Samba 3.6.23-12
RedHat 6.6
Kernel 2.6.32-504.1.3.el6.x86_64

-- Ragge