It looks like sudo is calling AFS in such a way that when it asks for the password it creates a new PAG (but does not refresh the token) whereas when sudo does not ask for a password it skips the AFS module and therefore does not create a new PAG.
You could verify this theory by calling "id" before and after you sudo commands. The first time, where you don't have tokens, I bet the PAG-magic-groups will be different, but in the second case, where you do still have tokens, I bet they are they same. -derek "Frank Bagehorn" <[EMAIL PROTECTED]> writes: > Hi, > I run in a problem with sudo. (The machine runs OpenAFS 1.2.3 on a RH 7.1, > latest RH fix kernel.) > Having a token I run 'sudo su -' (which knows about the pam_afs). It'll > ask me for my AFS password > and then do the su command. I end up being root without having a token any > longer. > > [heidegg]/u/fba1$ tokens > > Tokens held by the Cache Manager: > > User's (AFS ID 24642) tokens for [EMAIL PROTECTED] [Expires Mar 27 06:27] > --End of list-- > [tarasp]/u/fba1$ sudo su - > AFS Password: > [root@heidegg /root]# tokens > > Tokens held by the Cache Manager: > > --End of list-- > [root@heidegg /root]# > > I type 'exit' and do the same thing again. This time sudo will not ask for > the password (since it's configured to > ask only it's >10 min since the last sudo command), I become root and > (surprise!) this time I still have my token. > > [heidegg]/u/fba1$ tokens > > Tokens held by the Cache Manager: > > User's (AFS ID 24642) tokens for [EMAIL PROTECTED] [Expires Mar 27 06:27] > --End of list-- > [heidegg]/u/fba1$ sudo su - > [root@heidegg /root]# tokens > > Tokens held by the Cache Manager: > > User's (AFS ID 24642) tokens for [EMAIL PROTECTED] [Expires Mar 27 06:27] > --End of list-- > [root@heidegg /root]# > > This strangely remembers me the problem with ssh in version 1.2.2 . Does > sudo use different code in pam_afs, > or what could be the reason ? > > Regards > Frank > > ---------------------------------------------------------------------- > Dr. Frank Bagehorn > IBM Zurich Research Lab. > Saeumerstr. 4 > CH-8803 Rueschlikon > Switzerland > ---------------------------------------------------------------------- > SMTP: [EMAIL PROTECTED] > Notes: Frank Bagehorn/Zurich/IBM@IBMCH > phone: ++41 (01) 724 83 23 fax: ++41 (01) 724 89 59 > _______________________________________________ > OpenAFS-devel mailing list > [EMAIL PROTECTED] > https://lists.openafs.org/mailman/listinfo/openafs-devel -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH [EMAIL PROTECTED] PGP key available _______________________________________________ OpenAFS-devel mailing list [EMAIL PROTECTED] https://lists.openafs.org/mailman/listinfo/openafs-devel
