>> root is a local user on the machines, so I'm using the 'ignore_root' >> setting in the PAM configuration already. I added now the >> 'refresh_tokens' option, but that doesn't change the behavior at all. >> I still end up without a token after I typed in the password. > > Okay -- it looks like a bug (or at least incompatability) with sudo. The > sudo PAM client calls "pam_authenticate" on the AFS user authenticating, > but then calls "pam_setcred" and "pam_opensession" on the user you're > switching to. PAM (at least the pam_afs module) isn't designed to > authenticate as one user, and then open a session for another.
Well that's not really the case: I don't want to run with a "root" token later on. (If that is what you mean with "open a session for another") The token I want to have in the end, is the one of my (admin) AFS id. Or in other words: I am logged in as "fba1" and have a token for "fba1". I do 'sudo su -' and I want to end up logged in as "root" but again with a token for "fba1". I just want to keep/renew that token. (The ability to do certain things as root and to access certain files/scripts etc. as "system:administrator" or member of a certain AFS group go hand in hand...) Frank ---------------------------------------------------------------------- Dr. Frank Bagehorn IBM Zurich Research Lab. Saeumerstr. 4 CH-8803 Rueschlikon Switzerland ---------------------------------------------------------------------- SMTP: [EMAIL PROTECTED] Notes: Frank Bagehorn/Zurich/IBM@IBMCH phone: ++41 (01) 724 83 23 fax: ++41 (01) 724 89 59 _______________________________________________ OpenAFS-devel mailing list [EMAIL PROTECTED] https://lists.openafs.org/mailman/listinfo/openafs-devel
