> root is a local user on the machines, so I'm using the 'ignore_root' > setting in the PAM configuration already. I added now the > 'refresh_tokens' option, but that doesn't change the behavior at all. > I still end up without a token after I typed in the password.
Okay -- it looks like a bug (or at least incompatability) with sudo. The sudo PAM client calls "pam_authenticate" on the AFS user authenticating, but then calls "pam_setcred" and "pam_opensession" on the user you're switching to. PAM (at least the pam_afs module) isn't designed to authenticate as one user, and then open a session for another. You might try further playing around with the "set_token" and "refresh_token" options to the pam_afs module in the authentication phase. In general, to make this work, sudo would need two PAM clients. The first, maybe using settings in /etc/pam.d/sudo-user1, would perform the authentication and setcred. Then perhaps use settings in /etc/pam.d/sudo-user2 to do another setcred as the user you're switching to, followed by an open_session. It wouldn't be too hard to patch sudo's auth/pam.c to fix this problem, however I suggest you try using its supported AFS or krb4 (or krb5!) authentication mechanisms, because the PAM client seems pretty broken. [ t charles clancy ]--[ [EMAIL PROTECTED] ]--[ www.uiuc.edu/~tclancy ] _______________________________________________ OpenAFS-devel mailing list [EMAIL PROTECTED] https://lists.openafs.org/mailman/listinfo/openafs-devel
