Marc Dionne skrev den 2014-12-02 12:33:
On Mon, Dec 1, 2014 at 12:37 PM, Anders Magnusson <[email protected]> wrote:
Some years ago (around 2008) I did setup a SMB to AFS gateway like this (on
RedHat):
- samba configured to use Kerberos for client auth
- when user authenticated, use root preexec with kimpersonate to get an AFS
token
- The token was set to the uid, PAGs were not used.
This worked actually wery well.
Anyway, we have just tried to do the same again, but this time it do not
work at all.
Some debugging shows that a token is created to the uid, and su:ing to that
uid works, but smbd gets permission denied.
strace of smbd shows this:
setregid(4294967295, 513) = 0
getegid() = 513
setreuid(4294967295, 14431) = 0
That's the key line here, the real uid is left unchanged and the
effective uid is set. But OpenAFS relies on the real uid to set and
retrieve tokens, so this won't work. On the OpenAFS side this was
inadvertently changed in 1.6.0 and 1.6.1 but restored in 1.6.2. On
the samba side it looks like it should be setting both the effective
and real uids with setresuid() (some code there was added specifically
because of OpenAFS), but that code is conditional to some configure
tests, and there's a fallback to a setuid(-1, uid) that looks like the
one above, in case of error. Do you see a failing setresuid() in the
trace before the setreuid call?
Interesting, this sounds like you found the cause!
Hm, no setresuid() call before. Actually nothing related to setting uid.
But using setuid() would prevent samba from changing users in the same
connection, won't it?
-- Ragge
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
