This is pretty much standard behavior on RHEL. IMHO, I prefer the version w/o the uid since it's can often be a lie. This can be really confusing when using ssh and GSSAPI to login to role accounts.
We use a handy little perl script called qtoken to find out what uid is REALLY in your token. On Tue, Nov 20, 2012 at 9:50 AM, Brandon Allbery <allber...@gmail.com>wrote: > On Tue, Nov 20, 2012 at 12:43 PM, Michael Meffie > <mmef...@sinenomine.net>wrote: > >> I haven't looked into this yet, but I happened to notice (only yesterday), >> that if I run aklog with the -noprdb option, the same thing occurs, that >> is a token is set, but not listed by `tokens'. Perhaps a clue. >> > > I see it listed but without an AFS ID; this is inevitable as the only way > to get the AFS ID (which functionally is a comment) is to query the prdb. > > This does suggest that the prdb is not being queried for some reason, or > the query is silently failing. Since it's not functionally required, > failure of the query may well not be reported as such. > > -- > brandon s allbery kf8nh sine nomine > associates > allber...@gmail.com > ballb...@sinenomine.net > unix/linux, openafs, kerberos, infrastructure > http://sinenomine.net > >