[EMAIL PROTECTED] writes: > Hi Russ, since "fixing" the vservers by exposing the hosts's > /proc/fs/openafs/afs_ioctl, our services that rely on k5start to get > and maintain their tokens are losing their afs tokens. > > It seems somewhat random so far - the ColdFusion process in one > vserver lost its token after running for several days and even > restarting the vserver didn't get a usable token back (even though a > "tokens" command in the startup script did show that tokens had been > granted, ColdFusion didn't get access to afs). The apache process in > one vserver seems to lose tokens within a couple of days (it's > happened about three or four times so far). Since we were using a > fairly old copy of k5start, I tried re-building k5start from: > > http://archives.eyrie.org/software/kerberos/kstart-3.13.tar.gz > > but it didn't seem to fix the problem. Moving a vserver to a host > that doesn't expose /proc/fs/openafs/afs_ioctl does seem to fix the > problem. > > Do you know what might be causing the problem?
I'm afraid not. I think this is one that you'll have to ask on openafs-info about. It would surprise me if the /proc thing is related, since it's just a different interface to the same thing as the system calls, but maybe I'm missing some subtlety. This is a bit beyond my depth in terms of weird kernel interactions. kstart should have the same problem that you saw with pam-afs -- if you don't have the /proc file, it won't be able to get a PAG. It uses exactly the same code as pam-afs. -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
