* Yvan Masson [2015-01-27 09:48:46 +0100]: > Yes, pam_afs_session is in some pam files : common-auth, common-session > and common-session-noninteractive. These files are attached. Indeed, I > suppose something is wrong here.
I don't see anything obviously amiss, but these files don't tell the whole story since pam_afs_session honors settings in /etc/krb5.conf. In theory, pam_open_session should put the session into its own PAG, then (try to) acquire a new token; pam_close_session will unlog (i.e., destroy the token), but this should only affect the session's PAG. It sounds like the unlog is happening (i.e., retain_after_close is not set) but the PAG creation is not (i.e., either nopag is set or PAG creation fails for some other reason). You said that "keyctl show" reported the exact same session keyring name within and without the sudo session? That would confirm that the PAG hasn't changed. I guess you could work around the issue by editing /etc/pam.d/sudo to include a modified version of common-session-noninteractive that passes retain_after_close to pam_afs_session. (Or maybe you can live with using retain_after_close system-wide.) _______________________________________________ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info