Russ Allbery wrote:
"Douglas E. Engert" <[EMAIL PROTECTED]> writes:
Doing some debugging on Solairs 10 (sparc), I thing *ONE* problem is in
the pam_afs_session where it uses WIFEXITED. I think it should use both
WIFEXITED(result) && WEXITSTATUS(result) == 0
Oh, ugh, yes. You're entirely correct.
The other problem is with Solaris 10. With the pam_krb5 and dtlogin
force the use of a user based cache i.e. krb5cc_%uid, if pam_afs_session
is called for a pam_open_session, it might find the previous contents of
a cache, as pam_setcred has not been called to store the cred, which
might result is a very short token lifetime.
Unless you use the always_aklog option, pam_afs_session will do nothing
unless KRB5CCNAME is set, precisely to avoid picking up old ticket caches
like this using the default ticket cache name.
Turns out with the Solaris 10 pam_krb5, KRB5CCNAME is set.
For testing I used a script inplace of program=aklog, to dump the args,
environment, uid, gid, pid, ppid and groups and tokens before calling aklog.
--
Douglas E. Engert <[EMAIL PROTECTED]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
