Thanks for your fast answers. Le mardi 20 janvier 2015 à 20:37 -0500, Jason Edgecombe a écrit : > On 01/20/2015 03:46 PM, Benjamin Kaduk wrote: > > Hi, > > > > On Tue, 20 Jan 2015, Yvan Masson wrote: > > > >> Hi, > >> > >> I'm currently preparing the installation of Debian 8 Jessie (the current > >> almost stable) workstations in an OpenAFS environment. Users can log in > >> with theirs AFS credentials. > >> My problem is that if a user use the "sudo" command, he looses his afs > >> token. After that, the user can use "aklog" to get a new token. The > >> Kerberos tickets are not destroyed. > > I don't use sudo on my debian machines (just su), so I think you may need > > to clarify a bit more: is sudo being used to run a single command with > > privilege, or to run an interactive shell (as in sudo -i)? The most important for me would just one command (for example "sudo ls"). > Is only the > > terminal where sudo was run affected, or are other terminal windows > > affected as well? If I use sudo in gnome-terminal for example, the token is lost for this terminal and for all my X session: this is my biggest problem. But if I have also a running TTY, the token in my TTY is not destroyed. > >> I suppose that I should do someting with PAM, probably > >> in /etc/pam.d/sudo, but I don't know exactly what. > > Well, it probably depends on whether the default (uid-based) pag is in > > use, or a session-specific pag. > > > > I think that with jessie's kernel the pag information is stored in the > > keyring, so 'keyctl show' before and after sudo is run may be helpful. Pardon, but I don't know how to use this tool: can I run it from a terminal ?
> Here is another data point from my experience on RHEL5 with > pam_afs_session. I've noticed the following functionality: > > command keeps tokens > 'sudo -i' no > 'sudo -s' yes > 'sudo /bin/bash' yes For all of these commands, I keep the token while I am root, but it is destroyed when I type "exit". _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
