[OpenAFS] Changed behaviour (?) in client kernel module.
Tue, 2 Dec 2014 07:33:31 -0400
On Mon, Dec 1, 2014 at 12:37 PM, Anders Magnusson <firstname.lastname@example.org> wrote:
> Some years ago (around 2008) I did setup a SMB to AFS gateway like this (on
> - samba configured to use Kerberos for client auth
> - when user authenticated, use root preexec with kimpersonate to get an AFS
> - The token was set to the uid, PAGs were not used.
> This worked actually wery well.
> Anyway, we have just tried to do the same again, but this time it do not
> work at all.
> Some debugging shows that a token is created to the uid, and su:ing to that
> uid works, but smbd gets permission denied.
> strace of smbd shows this:
> setregid(4294967295, 513) = 0
> getegid() = 513
> setreuid(4294967295, 14431) = 0
That's the key line here, the real uid is left unchanged and the
effective uid is set. But OpenAFS relies on the real uid to set and
retrieve tokens, so this won't work. On the OpenAFS side this was
inadvertently changed in 1.6.0 and 1.6.1 but restored in 1.6.2. On
the samba side it looks like it should be setting both the effective
and real uids with setresuid() (some code there was added specifically
because of OpenAFS), but that code is conditional to some configure
tests, and there's a fallback to a setuid(-1, uid) that looks like the
one above, in case of error. Do you see a failing setresuid() in the
trace before the setreuid call?