On 3 Jan 2008, at 11:47, Atro Tossavainen wrote:
Can somebody please explain to me why a "klog -setpag account" does
not produce a token on CentOS 4.6 x86_64? "klog account" does
generate
a token, without a PAG (so root su'ing to the user gets it). Logging
in via pam_afs.so does (and "groups" shows the two anon groups, and
root su'ing to the user does not get the token).
It's to do with the way that PAGs are created in each of these cases.
When you run klog -setpag, you have a process tree that looks like
shell->klog (so, when klog exits, control returns to the shell) - in
order to be able to set the PAG, klog must change the PAG of its
parent process. Both finding the identity of the parent process, and
then forcing it into a particular PAG, requires all sorts of kernel
fiddling which doesn't work on some kernels and architectures. By
contrast, when you log in and use a PAM module, then PAG is created
by the module itself, so the login (or ssh, or ...) process ends up
in that PAG, and the child just inherits the PAG from its parent.
In addition, there are some odd bugs with the ways in which aklog -
setpag doesn't work on some Linux variants - RT #57154 has more details.
Simon.
_______________________________________________
OpenAFS-devel mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-devel
