Re: [OpenAFS] Token gone after sudo?!

2016-01-08 Thread Alexander Lazarević 
​Guys, thanks for the hints at where to look at.​

2016-01-03 23:00 GMT+01:00 Sergio Gelato :

> Defaults !pam_setcred


​Sergio, this works for me. Thanks for the solution and the reference to
the bug report for ubuntu!

Cheers,
 Alex​

Re: [OpenAFS] Token gone after sudo?!

2016-01-03 Thread Sergio Gelato 
* Alexander Lazarević [2015-12-31 00:05:59 +0100]:
> I just recently upgraded to ubuntu 15.10 and I am using the openafs
> client 1.6.16-0ppa1~ubuntu15.10.2. With the switch to 15.10 I started to
> notice tokens to "disappear".

Ubuntu 15.10 "wily werewolf" uses libpam-afs-session 2.5-4.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782589
presumably applies. According to the changelog for sudo the default behaviour
for pam_setcred was changed in 1.8.10p2, and indeed Ubuntu ships version
1.8.9p5 in vivid, 1.8.12 in wily.

So either add
Defaults !pam_setcred
to your sudo configuration or backport libpam-afs-session 2.6-1 from xenial.
(I've done both, after determining that the new default sudo behaviour wasn't
useful in my environment.)

The same problem affects Debian 8 (jessie).
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] Token gone after sudo?!

2015-12-31 Thread Chas Williams 
It's probably that your /etc/pam.d/sudo is using pam_keyring.so
to set up a new keyring when you sudo.

Do a keyctl list @s before and sudo keyctl list @s and see if
the keyring is being replaced.

On Thu, 2015-12-31 at 00:05 +0100, Alexander Lazarević wrote:
> Hi!
> 
> I just recently upgraded to ubuntu 15.10 and I am using the openafs
> client 1.6.16-0ppa1~ubuntu15.10.2. With the switch to 15.10 I started
> to notice tokens to "disappear".
> 
> The following is an example of how to reliable make tokens disappear
> for me:
> 
> aklog; tokens; sudo ls /dev/null; tokens
> 
> Tokens held by the Cache Manager:
> 
> User's (AFS ID 2) tokens for a...@mydomain.com [Expires Dec 31
> 09:50]
>    --End of list--
> /dev/null
> 
> Tokens held by the Cache Manager:
> 
>    --End of list--
> 
> I can't remember that this would happen. But I surely could be wrong?!
> 
> Regards,
>  Alex
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] Token gone after sudo?!

2015-12-31 Thread Benjamin Kaduk 
It's very likely to be an issue with the PAM configuration, yes.
I think we've seen some cases where it was pam_afs_session that was
misconfigured and not pam_keyring, but I didn't check the archives,
myself.

-Ben

On Thu, 31 Dec 2015, Chas Williams wrote:

> It's probably that your /etc/pam.d/sudo is using pam_keyring.so
> to set up a new keyring when you sudo.
>
> Do a keyctl list @s before and sudo keyctl list @s and see if
> the keyring is being replaced.
>
> On Thu, 2015-12-31 at 00:05 +0100, Alexander Lazarević wrote:
> > Hi!
> > 
> > I just recently upgraded to ubuntu 15.10 and I am using the openafs
> > client 1.6.16-0ppa1~ubuntu15.10.2. With the switch to 15.10 I started
> > to notice tokens to "disappear".
> > 
> > The following is an example of how to reliable make tokens disappear
> > for me:
> > 
> > aklog; tokens; sudo ls /dev/null; tokens
> > 
> > Tokens held by the Cache Manager:
> > 
> > User's (AFS ID 2) tokens for a...@mydomain.com [Expires Dec 31
> > 09:50]
> >    --End of list--
> > /dev/null
> > 
> > Tokens held by the Cache Manager:
> > 
> >    --End of list--
> > 
> > I can't remember that this would happen. But I surely could be wrong?!
> > 
> > Regards,
> >  Alex
> ___
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>

[OpenAFS] Token gone after sudo?!

2015-12-30 Thread Alexander Lazarević 
Hi!

I just recently upgraded to ubuntu 15.10 and I am using the openafs
client 1.6.16-0ppa1~ubuntu15.10.2. With the switch to 15.10 I started to
notice tokens to "disappear".

The following is an example of how to reliable make tokens disappear for me:

aklog; tokens; sudo ls /dev/null; tokens

Tokens held by the Cache Manager:

User's (AFS ID 2) tokens for a...@mydomain.com [Expires Dec 31 09:50]
   --End of list--
/dev/null

Tokens held by the Cache Manager:

   --End of list--

I can't remember that this would happen. But I surely could be wrong?!

Regards,
 Alex