[OpenAFS] OpenAFS and sudo

Sergio Gelato Sergio.Gelato@astro.su.se
Wed, 28 Jan 2015 08:51:19 +0100


* Yvan Masson [2015-01-27 09:48:46 +0100]:
> Yes, pam_afs_session is in some pam files : common-auth, common-session
> and common-session-noninteractive. These files are attached. Indeed, I
> suppose something is wrong here.

I don't see anything obviously amiss, but these files don't tell the whole
story since pam_afs_session honors settings in /etc/krb5.conf.

In theory, pam_open_session should put the session into its own PAG, then
(try to) acquire a new token; pam_close_session will unlog (i.e., destroy
the token), but this should only affect the session's PAG. It sounds like
the unlog is happening (i.e., retain_after_close is not set) but the PAG
creation is not (i.e., either nopag is set or PAG creation fails for
some other reason).

You said that "keyctl show" reported the exact same session keyring name
within and without the sudo session? That would confirm that the PAG hasn't
changed. I guess you could work around the issue by editing /etc/pam.d/sudo
to include a modified version of common-session-noninteractive that passes
retain_after_close to pam_afs_session. (Or maybe you can live with using
retain_after_close system-wide.)