-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear all,
I did some tests and got some additional information on the problem: The token disappears also with the latest openafs-{krb5,client,modules-dkms} from experimental. I did a test setup with a clean jessie and upgraded it to unstable, followed by the installation of said packages from experimental (version 1.6.11~pre1-1). In addition, it seems the token only disappears when the Kerberos-username is identical with the Unix username. When I use a different account (testuser) and get the kerberos token (and AFS token with aklog) for "kerberosuser" (testuser@sid: kinit kerberosuser), I can use sudo without affecting the AFS token. Could it be possibly be something with the PAM stack? I attached the config files. The only change done to this files after installation was a change in the minimum_uids. Also, has anyone a suggestion if I should file a bug for this and if yes, for which package? I still got no real feeling for where this comes from, but it makes the use of such systems (sudo@openAFS and Kerberos) quite annoying. Best regards, Christoph Schober - -- Christoph Schober GnuPG key Id 0x3B6914EB -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJUkp9uAAoJENHdu+iSulRgwooQAKUg8/jFuI8MrnHCRNKMrZcT Bs7g8jsThbOgiJ1/xhI/j1lR0yYz1JqjJasBmL6cXTGLw8y4LHjpsKDPGWN9xVxn IfvttKH0RDXuEMqCubh3mkG61Gkz1aL4N5n0nuHXQAw6iFf0YaOhJN0vnjNVv6QL rdMJzBJvbKq7vmYJJ8DK0eQp69JsxANDPEhqeC8Nz8kcgjER+dnMKG25Db7Y7EAk XjcNEldejZhpIHK5JMxaFx84ExqFuTcw4Vdfmu9V+COlh3zNVH1rJMUW+Hs2SddO qsAePrl9WYdEaLL4F++ds8/GfDyd4gLxMDdgZAuywN/C0/IR0qM2URGrzxRhgZvy fBLAS7SROiEFLdlPUCol95KINxblH62jEEd7zNeZIJK5V2nqLiOs93Gffcpdyelz suJ1FURGjMgk5U/9/CxKG3Hl6CUbnGz98vt4pqoOi7iciz87O7iKa7cIEK7U5nw4 u+AmHfSzyD093GzU8QCv+YmUBUHMsa7nswCxURm3fVR92F9h6VFP+sbV7JwM+psA tdPDtf4A9YajNSuAU6ReVRrmRXArpLZi7bE+ola81rm7SiaiIJ+poX8/LCXSZPEu e8VBibEfsvdkBXAhGyeElXsWzWQTtDO4I6/9sPy7td603fYIte0rqtsv6wc7Je2x z6A1mudFeVmymfU57yuL =fusu -----END PGP SIGNATURE-----
# # /etc/pam.d/common-account - authorization settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authorization modules that define # the central access policy for use on the system. The default is to # only deny service to users whose accounts are expired in /etc/shadow. # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. # # here are the per-package modules (the "Primary" block) account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so # here's the fallback if no module succeeds account requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around account required pam_permit.so # and here are more per-package modules (the "Additional" block) account required pam_krb5.so minimum_uid=500 account [success=ok new_authtok_reqd=done ignore=ignore user_unknown=ignore authinfo_unavail=ignore default=bad] pam_ldap.so minimum_uid=500 # end of pam-auth-update config
# # /etc/pam.d/common-auth - authentication settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authentication modules that define # the central authentication scheme for use on the system # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the # traditional Unix authentication mechanisms. # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. # here are the per-package modules (the "Primary" block) auth [success=3 default=ignore] pam_krb5.so minimum_uid=500 auth [success=2 default=ignore] pam_unix.so nullok_secure try_first_pass auth [success=1 default=ignore] pam_ldap.so use_first_pass minimum_uid=500 # here's the fallback if no module succeeds auth requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around auth required pam_permit.so # and here are more per-package modules (the "Additional" block) auth optional pam_afs_session.so # end of pam-auth-update config
# # /etc/pam.d/common-password - password-related modules common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of modules that define the services to be # used to change user passwords. The default is pam_unix. # Explanation of pam_unix options: # # The "sha512" option enables salted SHA512 passwords. Without this option, # the default is Unix crypt. Prior releases used the option "md5". # # The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in # login.defs. # # See the pam_unix manpage for other options. # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. # here are the per-package modules (the "Primary" block) password [success=3 default=ignore] pam_krb5.so minimum_uid=500 password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512 password [success=1 default=ignore] pam_ldap.so try_first_pass minimum_uid=500 # here's the fallback if no module succeeds password requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around password required pam_permit.so # and here are more per-package modules (the "Additional" block) # end of pam-auth-update config
# # /etc/pam.d/common-session - session-related modules common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of modules that define tasks to be performed # at the start and end of sessions of *any* kind (both interactive and # non-interactive). # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. # here are the per-package modules (the "Primary" block) session [default=1] pam_permit.so # here's the fallback if no module succeeds session requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around session required pam_permit.so # and here are more per-package modules (the "Additional" block) session optional pam_krb5.so minimum_uid=500 session required pam_unix.so session [success=ok default=ignore] pam_ldap.so minimum_uid=500 session optional pam_afs_session.so # end of pam-auth-update config
#%PAM-1.0 @include common-auth @include common-account @include common-session-noninteractive