On 01/20/2015 03:46 PM, Benjamin Kaduk wrote:
Hi,
On Tue, 20 Jan 2015, Yvan Masson wrote:
Hi,
I'm currently preparing the installation of Debian 8 Jessie (the current
almost stable) workstations in an OpenAFS environment. Users can log in
with theirs AFS credentials.
My problem is that if a user use the "sudo" command, he looses his afs
token. After that, the user can use "aklog" to get a new token. The
Kerberos tickets are not destroyed.
I don't use sudo on my debian machines (just su), so I think you may need
to clarify a bit more: is sudo being used to run a single command with
privilege, or to run an interactive shell (as in sudo -i)? Is only the
terminal where sudo was run affected, or are other terminal windows
affected as well?
I suppose that I should do someting with PAM, probably
in /etc/pam.d/sudo, but I don't know exactly what.
Well, it probably depends on whether the default (uid-based) pag is in
use, or a session-specific pag.
I think that with jessie's kernel the pag information is stored in the
keyring, so 'keyctl show' before and after sudo is run may be helpful.
Here is another data point from my experience on RHEL5 with
pam_afs_session. I've noticed the following functionality:
command keeps tokens
'sudo -i' no
'sudo -s' yes
'sudo /bin/bash' yes
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
