> Maybe the problem is that sometimes the token get erroneously attached
> to the user and not to the PAG?
Sometimes you want it, sometimes not. From the man page of heimdal rshd(8):
-P When using the AFS filesystem, users' authentication tokens are
put in something called a PAG (Process Authentication Group).
Multiple processes can share a PAG, but normally each login ses-
sion has its own PAG. This option disables the setpag() call, so
all tokens will be put in the default (uid-based) PAG, making it
possible to share tokens between sessions. This is only useful in
peculiar environments, such as some batch systems.
Looks like we are peculiar.
> (In those broken PAGs, doing su leads to
> loosing the token but exiting from su brings the token back again.
Which leads me to believe that in this case you are using uid based pags.
> Is there a way to check, if the token is attached to a PAG?
Hm...
$ ssh -Y -l haba -K -o GSSAPIKeyExchange=yes ekman '/usr/heimdal/bin/klist -T ;
groups'
Credentials cache: FILE:/tmp/krb5cc_d23246
Principal: [email protected]
Issued Expires Principal
Feb 23 12:31:47 Feb 24 09:34:11 krbtgt/[email protected]
Feb 23 12:31:48 Feb 24 09:34:11 afs/[email protected]
Feb 23 12:31:48 Feb 24 09:34:11 [email protected]
Feb 23 12:31:48 Feb 24 09:34:11 User's (AFS ID 22421) tokens for nada.kth.se
Feb 23 12:31:48 Feb 24 09:34:11 User's (AFS ID 22421) tokens for pdc.kth.se
gopher 1098410290
id: cannot find name for group ID 1098410290
This is OS and Linux-version dependent. Here
(2.6.18-92.1.13.el5.centos.plus), the strange group number is the PAG-ID.
Harald.
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
