[OpenAFS] sometimes loosing token on su

Alexander 'Leo' Bergolth Wed, 11 Feb 2009 10:04:08 -0800

Hi!

First of all: Yes, I have disabled pam_keyinit.so. :-)


I am experiencing a very strange problem:

On my workstation, switching to root using "su -" (or just su) normally
works fine.
However sometimes, when trying to "su" in a long running shell, I'm
loosing my token. (See the example 1 below.)

Logging in via ssh and then doing "su -" works fine though. (See example 2).

It looks like there is something wrong with my PAG since after getting a
new PAG and a token from within the broken PAG, "su -" keeps my token
again. (Example 3)

Even doing kinit and aklog -force (before doing su -) doesn't help.

Syslog-output with pam_krb5.so debug enabled doesn't show anything
suspecting. (See below.) Even commenting out pam_krb5.so just for the su
doesn't help.

Any hints?

Thanks,
--leo

P.S.: I'm using openafs-1.4.8-30.fc10.i386 on Fedora 10 (kernel
2.6.27.9-159.fc10.i686.PAE).

-------------------- Example 1 --------------------
[bergo...@ariel ~]$ tokens

Tokens held by the Cache Manager:

User's (AFS ID 5020) tokens for [email protected] [Expires Feb 12 15:57]
   --End of list--

[bergo...@ariel ~]$ id -G
3000 10 107 500 501 1098248117

[bergo...@ariel ~]$ keyctl show
Session Keyring
       -3 --alswrv      0  3000  keyring: _ses.4114
480068621 ----s--v      0     0   \_ afs_pag: _pag

[bergo...@ariel ~]$ su -

[r...@ariel ~]# tokens

Tokens held by the Cache Manager:

   --End of list--

[r...@ariel ~]# id -G
0 1 2 3 4 6 10

[r...@ariel ~]# keyctl show
Session Keyring
       -3 --alswrv      0  3000  keyring: _ses.4114
480068621 ----s--v      0     0   \_ afs_pag: _pag
---------------------------------------------------

-------------------- Example 2 --------------------
[bergo...@ariel ~]$ ssh bergo...@ariel

[bergo...@ariel:~]$ tokens

Tokens held by the Cache Manager:

Tokens for [email protected] [Expires Feb 12 15:57]
   --End of list--

[bergo...@ariel:~]$ id -G
3000 10 107 500 501 1098248255

[bergo...@ariel:~]$ keyctl show
Session Keyring
       -3 --alswrv      0     0  keyring: _ses.13949
851940785 ----s--v      0     0   \_ afs_pag: _pag

[bergo...@ariel:~]$ su -

[r...@ariel ~]# tokens

Tokens held by the Cache Manager:

Tokens for [email protected] [Expires Feb 12 15:57]
   --End of list--

[r...@ariel ~]# id -G
0 1 2 3 4 6 10

[r...@ariel ~]# keyctl show
Session Keyring
       -3 --alswrv      0     0  keyring: _ses.13949
851940785 ----s--v      0     0   \_ afs_pag: _pag
---------------------------------------------------

-------------------- Example 3 --------------------
[bergo...@ariel ~]$ id -G
3000 10 107 500 501 1098248117

[bergo...@ariel ~]$ keyctl show
Session Keyring
       -3 --alswrv      0  3000  keyring: _ses.4114
480068621 ----s--v      0     0   \_ afs_pag: _pag

[bergo...@ariel ~]$ pagsh

sh-3.2$ id -G
3000 10 107 500 501 1098248260

sh-3.2$ keyctl show
Session Keyring
       -3 --alswrv   5020  3000  keyring: _ses.14509
808791921 ----s--v      0     0   \_ afs_pag: _pag

sh-3.2$ aklog

sh-3.2$ tokens

Tokens held by the Cache Manager:

User's (AFS ID 5020) tokens for [email protected] [Expires Feb 12 19:49]
   --End of list--

sh-3.2$ su -

[r...@ariel ~]# tokens

Tokens held by the Cache Manager:

User's (AFS ID 5020) tokens for [email protected] [Expires Feb 12 19:49]
   --End of list--
---------------------------------------------------

-------------------- Syslog 1 --------------------
Feb 11 18:18:49 ariel su: pam_unix(su-l:session): session opened for
user root by bergolth(uid=5020)
Feb 11 18:18:49 ariel su: pam_krb5[13573]: default/local realm
'WU-WIEN.AC.AT'
Feb 11 18:18:49 ariel su: pam_krb5[13573]: configured realm 'WU-WIEN.AC.AT'
Feb 11 18:18:49 ariel su: pam_krb5[13573]: flag: debug
Feb 11 18:18:49 ariel su: pam_krb5[13573]: flags: forwardable
Feb 11 18:18:49 ariel su: pam_krb5[13573]: flag: no ignore_afs
Feb 11 18:18:49 ariel su: pam_krb5[13573]: flag: no null_afs
Feb 11 18:18:49 ariel su: pam_krb5[13573]: flag: user_check
Feb 11 18:18:49 ariel su: pam_krb5[13573]: flag: no krb4_convert
Feb 11 18:18:49 ariel su: pam_krb5[13573]: flag: krb4_convert_524
Feb 11 18:18:49 ariel su: pam_krb5[13573]: flag: krb4_use_as_req
Feb 11 18:18:49 ariel su: pam_krb5[13573]: will try previously set
password first
Feb 11 18:18:49 ariel su: pam_krb5[13573]: will ask for a password if
that fails
Feb 11 18:18:49 ariel su: pam_krb5[13573]: will let libkrb5 ask questions
Feb 11 18:18:49 ariel su: pam_krb5[13573]: flag: no use_shmem
Feb 11 18:18:49 ariel su: pam_krb5[13573]: flag: external
Feb 11 18:18:49 ariel su: pam_krb5[13573]: flag: warn
Feb 11 18:18:49 ariel su: pam_krb5[13573]: ticket lifetime: 0s (0d,0h,0m,0s)
Feb 11 18:18:49 ariel su: pam_krb5[13573]: renewable lifetime: 0s
(0d,0h,0m,0s)
Feb 11 18:18:49 ariel su: pam_krb5[13573]: banner: Kerberos 5
Feb 11 18:18:49 ariel su: pam_krb5[13573]: ccache dir: /tmp
Feb 11 18:18:49 ariel su: pam_krb5[13573]: ccname template:
FILE:%d/krb5cc_%U_XXXXXX
Feb 11 18:18:49 ariel su: pam_krb5[13573]: keytab: FILE:/etc/krb5.keytab
Feb 11 18:18:49 ariel su: pam_krb5[13573]: token strategy: v4,524,2b,rxk5
Feb 11 18:18:49 ariel su: pam_krb5[13573]: checking for
externally-obtained v5 credentials
Feb 11 18:18:49 ariel su: pam_krb5[13573]: KRB5CCNAME is not set, none found
Feb 11 18:18:49 ariel su: pam_krb5[13573]: no v5 creds for user 'root',
skipping session setup
Feb 11 18:18:49 ariel su: pam_krb5[13573]: pam_open_session returning 0
(Success)
--------------------------------------------------


-------------------- Syslog 2 --------------------
Feb 11 18:26:31 ariel su: pam_unix(su-l:session): session opened for
user root by bergolth(uid=5020)
Feb 11 18:26:31 ariel su: pam_krb5[14103]: default/local realm
'WU-WIEN.AC.AT'
Feb 11 18:26:31 ariel su: pam_krb5[14103]: configured realm 'WU-WIEN.AC.AT'
Feb 11 18:26:31 ariel su: pam_krb5[14103]: flag: debug
Feb 11 18:26:31 ariel su: pam_krb5[14103]: flags: forwardable
Feb 11 18:26:31 ariel su: pam_krb5[14103]: flag: no ignore_afs
Feb 11 18:26:31 ariel su: pam_krb5[14103]: flag: no null_afs
Feb 11 18:26:31 ariel su: pam_krb5[14103]: flag: user_check
Feb 11 18:26:31 ariel su: pam_krb5[14103]: flag: no krb4_convert
Feb 11 18:26:31 ariel su: pam_krb5[14103]: flag: krb4_convert_524
Feb 11 18:26:31 ariel su: pam_krb5[14103]: flag: krb4_use_as_req
Feb 11 18:26:31 ariel su: pam_krb5[14103]: will try previously set
password first
Feb 11 18:26:31 ariel su: pam_krb5[14103]: will ask for a password if
that fails
Feb 11 18:26:31 ariel su: pam_krb5[14103]: will let libkrb5 ask questions
Feb 11 18:26:31 ariel su: pam_krb5[14103]: flag: no use_shmem
Feb 11 18:26:31 ariel su: pam_krb5[14103]: flag: external
Feb 11 18:26:31 ariel su: pam_krb5[14103]: flag: warn
Feb 11 18:26:31 ariel su: pam_krb5[14103]: ticket lifetime: 0s (0d,0h,0m,0s)
Feb 11 18:26:31 ariel su: pam_krb5[14103]: renewable lifetime: 0s
(0d,0h,0m,0s)
Feb 11 18:26:31 ariel su: pam_krb5[14103]: banner: Kerberos 5
Feb 11 18:26:31 ariel su: pam_krb5[14103]: ccache dir: /tmp
Feb 11 18:26:31 ariel su: pam_krb5[14103]: ccname template:
FILE:%d/krb5cc_%U_XXXXXX
Feb 11 18:26:31 ariel su: pam_krb5[14103]: keytab: FILE:/etc/krb5.keytab
Feb 11 18:26:31 ariel su: pam_krb5[14103]: token strategy: v4,524,2b,rxk5
Feb 11 18:26:31 ariel su: pam_krb5[14103]: checking for
externally-obtained v5 credentials
Feb 11 18:26:31 ariel su: pam_krb5[14103]: KRB5CCNAME is not set, none found
Feb 11 18:26:31 ariel su: pam_krb5[14103]: no v5 creds for user 'root',
skipping session setup
Feb 11 18:26:31 ariel su: pam_krb5[14103]: pam_open_session returning 0
(Success)
--------------------------------------------------

-- 
e-mail   ::: Leo.Bergolth (at) wu-wien.ac.at
fax      ::: +43-1-31336-906050
location ::: IT-Services | Vienna University of Economics | Austria

_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info

[OpenAFS] sometimes loosing token on su

Reply via email to