Package: libpam-afs-session Version: 2.5-4 When sudo's pam_setcred option is true (which it is by default in jessie but not in previous releases; e.g. neither wheezy nor Ubuntu trusty are affected by this problem out of the box), running sudo will result in the loss of AFS tokens. These are destroyed by pam_afs_session on exit from the sudo session. Adding Defaults !pam_setcred to /etc/sudoers is sufficient to cause the AFS tokens to survive (as desired).
Here is an extract from auth.log when pam_afs_session is called with debug on: sudo: pam_afs_session(sudo:setcred): pam_sm_setcred: entry (0x8) sudo: pam_afs_session(sudo:setcred): running /usr/bin/aklog as UID 0 sudo: pam_afs_session(sudo:setcred): pam_sm_setcred: exit (success) sudo: pam_unix(sudo:session): session opened for user root by user(uid=0) sudo: pam_afs_session(sudo:session): pam_sm_open_session: entry (0x0) sudo: pam_afs_session(sudo:session): skipping, apparently already ran sudo: pam_afs_session(sudo:session): pam_sm_open_session: exit (success) sudo: pam_unix(sudo:session): session closed for user root sudo: pam_afs_session(sudo:session): pam_sm_close_session: entry (0x8000) sudo: pam_afs_session(sudo:session): destroying tokens sudo: pam_afs_session(sudo:session): pam_sm_close_session: exit (success) sudo: pam_afs_session(sudo:setcred): pam_sm_setcred: entry (0x8004) sudo: pam_afs_session(sudo:setcred): destroying tokens sudo: pam_afs_session(sudo:setcred): pam_sm_setcred: exit (success) The above is with the default setting (pam_setcred). With !pam_setcred I get: sudo: pam_unix(sudo:session): session opened for user root by user(uid=0) sudo: pam_afs_session(sudo:session): pam_sm_open_session: entry (0x0) sudo: pam_afs_session(sudo:session): running /usr/bin/aklog as UID 0 sudo: pam_afs_session(sudo:session): pam_sm_open_session: exit (success) sudo: pam_unix(sudo:session): session closed for user root sudo: pam_afs_session(sudo:session): pam_sm_close_session: entry (0x8000) sudo: pam_afs_session(sudo:session): destroying tokens sudo: pam_afs_session(sudo:session): pam_sm_close_session: exit (success) which matches what I see with older versions of sudo. The problem seems to be caused by sudo's use of the PAM_REINITIALIZE_CRED flag, which causes pam_sm_setcred() to not create a new PAG. I'm not quite sure how to apportion blame (between sudo and pam_afs_session) nor how best to fix the issue; but others have been puzzled by this change of behavior before (it was discussed on openafs-info some time ago) so it should at least be documented (perhaps in the release notes for jessie?) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org