[OpenAFS] OpenAFS and sudo

Jason Edgecombe jason@rampaginggeek.com
Tue, 20 Jan 2015 20:37:39 -0500

On 01/20/2015 03:46 PM, Benjamin Kaduk wrote:
> Hi,
> On Tue, 20 Jan 2015, Yvan Masson wrote:
>> Hi,
>> I'm currently preparing the installation of Debian 8 Jessie (the current
>> almost stable) workstations in an OpenAFS environment. Users can log in
>> with theirs AFS credentials.
>> My problem is that if a user use the "sudo" command, he looses his afs
>> token. After that, the user can use "aklog" to get a new token. The
>> Kerberos tickets are not destroyed.
> I don't use sudo on my debian machines (just su), so I think you may need
> to clarify a bit more: is sudo being used to run a single command with
> privilege, or to run an interactive shell (as in sudo -i)?  Is only the
> terminal where sudo was run affected, or are other terminal windows
> affected as well?
>> I suppose that I should do someting with PAM, probably
>> in /etc/pam.d/sudo, but I don't know exactly what.
> Well, it probably depends on whether the default (uid-based) pag is in
> use, or a session-specific pag.
> I think that with jessie's kernel the pag information is stored in the
> keyring, so 'keyctl show' before and after sudo is run may be helpful.
Here is another data point from my experience on RHEL5 with 
pam_afs_session. I've noticed the following functionality:

command        keeps tokens
'sudo -i'                    no
'sudo -s'                   yes
'sudo /bin/bash'     yes