On Mon, Dec 1, 2014 at 12:37 PM, Anders Magnusson <[email protected]> wrote: > Some years ago (around 2008) I did setup a SMB to AFS gateway like this (on > RedHat): > > - samba configured to use Kerberos for client auth > - when user authenticated, use root preexec with kimpersonate to get an AFS > token > - The token was set to the uid, PAGs were not used. > > This worked actually wery well. > > Anyway, we have just tried to do the same again, but this time it do not > work at all. > Some debugging shows that a token is created to the uid, and su:ing to that > uid works, but smbd gets permission denied. > > strace of smbd shows this: > > > setregid(4294967295, 513) = 0 > > getegid() = 513 > > setreuid(4294967295, 14431) = 0
That's the key line here, the real uid is left unchanged and the effective uid is set. But OpenAFS relies on the real uid to set and retrieve tokens, so this won't work. On the OpenAFS side this was inadvertently changed in 1.6.0 and 1.6.1 but restored in 1.6.2. On the samba side it looks like it should be setting both the effective and real uids with setresuid() (some code there was added specifically because of OpenAFS), but that code is conditional to some configure tests, and there's a fallback to a setuid(-1, uid) that looks like the one above, in case of error. Do you see a failing setresuid() in the trace before the setreuid call? Marc _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
