[OpenAFS] OpenAFS and sudo
Tue, 20 Jan 2015 15:46:21 -0500 (EST)
On Tue, 20 Jan 2015, Yvan Masson wrote:
> I'm currently preparing the installation of Debian 8 Jessie (the current
> almost stable) workstations in an OpenAFS environment. Users can log in
> with theirs AFS credentials.
> My problem is that if a user use the "sudo" command, he looses his afs
> token. After that, the user can use "aklog" to get a new token. The
> Kerberos tickets are not destroyed.
I don't use sudo on my debian machines (just su), so I think you may need
to clarify a bit more: is sudo being used to run a single command with
privilege, or to run an interactive shell (as in sudo -i)? Is only the
terminal where sudo was run affected, or are other terminal windows
affected as well?
> I suppose that I should do someting with PAM, probably
> in /etc/pam.d/sudo, but I don't know exactly what.
Well, it probably depends on whether the default (uid-based) pag is in
use, or a session-specific pag.
I think that with jessie's kernel the pag information is stored in the
keyring, so 'keyctl show' before and after sudo is run may be helpful.