Hi! On 02/23/2009 11:39 PM, Sergio Gelato wrote: > * Alexander 'Leo' Bergolth [2009-02-23 12:12:55 +0100]: >> On 02/11/2009 07:03 PM, Alexander 'Leo' Bergolth wrote: >>> First of all: Yes, I have disabled pam_keyinit.so. :-) >>> >>> I am experiencing a very strange problem: >>> >>> On my workstation, switching to root using "su -" (or just su) normally >>> works fine. >>> However sometimes, when trying to "su" in a long running shell, I'm >>> loosing my token. (See the example 1 below.) >>> >>> Logging in via ssh and then doing "su -" works fine though. (See example 2). >>> >>> It looks like there is something wrong with my PAG since after getting a >>> new PAG and a token from within the broken PAG, "su -" keeps my token >>> again. (Example 3) >> I am still suffering from that problem. >> Any ideas how I could debug that? [...] > I just tried with a 2.6.26 kernel (Debian 5.0) and couldn't reproduce > this behaviour. Depending on /etc/pam.d/su I either keep the same PAG > and tokens or get into a new PAG which keyctl reports as such. Either > way, the behaviour is as I would expect and unlike the one you report.
The funny thing is: 1) ssh'ing to the same account and doing su from there also produces the expected results. 2) after restarting the X-Session, su'ing also works for some time (maybe for the lifetime of a token?) Reauthentication currently is done either manually via klog or with pam_krb5 called by kscreensaver. I'll try to reproduce these tests by logging in via ssh and reauthenticating via klog after the token had expired... > I've had to apply some post-1.4.8 patches to OpenAFS because that 2.6.28 > kernel is really 2.6.28.3 and needs the "2.6.29" patch; they were > STABLE14-libuafs-updates-20081229 > STABLE14-linux-truncate-race-20090109 > STABLE14-linux-i-size-20090112 > STABLE14-linux-2629-20090115 > > Can you reproduce the problem when su is configured not to call pam_krb5 > at all? Yes. I've commented out both pam_krb5 and pam_keyinit. Same results. > How about when you su to the same user instead of to root? (If you were > PAGless, this ought to work. I don't think you are, but it's an easy > test.) Thats a good point. su'ing to the same user also doesn't work: [bergo...@ariel ~]$ su bergolth bash: /afs/wu-wien.ac.at/home/edvz/bergolth/.bashrc: Permission denied bash-3.2$ [bergo...@ariel ~]$ sudo -u bergolth bash bash: /afs/wu-wien.ac.at/home/edvz/bergolth/.bashrc: Permission denied bash-3.2$ This disproves my theory of the User-ID attached token... Cheers, --leo -- e-mail ::: Leo.Bergolth (at) wu-wien.ac.at fax ::: +43-1-31336-906050 location ::: IT-Services | Vienna University of Economics | Austria _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
