Re: [OpenAFS] Token gone after sudo?!
Guys, thanks for the hints at where to look at. 2016-01-03 23:00 GMT+01:00 Sergio Gelato: > Defaults !pam_setcred Sergio, this works for me. Thanks for the solution and the reference to the bug report for ubuntu! Cheers, Alex
Re: [OpenAFS] Token gone after sudo?!
* Alexander Lazarević [2015-12-31 00:05:59 +0100]: > I just recently upgraded to ubuntu 15.10 and I am using the openafs > client 1.6.16-0ppa1~ubuntu15.10.2. With the switch to 15.10 I started to > notice tokens to "disappear". Ubuntu 15.10 "wily werewolf" uses libpam-afs-session 2.5-4. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782589 presumably applies. According to the changelog for sudo the default behaviour for pam_setcred was changed in 1.8.10p2, and indeed Ubuntu ships version 1.8.9p5 in vivid, 1.8.12 in wily. So either add Defaults !pam_setcred to your sudo configuration or backport libpam-afs-session 2.6-1 from xenial. (I've done both, after determining that the new default sudo behaviour wasn't useful in my environment.) The same problem affects Debian 8 (jessie). ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Token gone after sudo?!
It's probably that your /etc/pam.d/sudo is using pam_keyring.so to set up a new keyring when you sudo. Do a keyctl list @s before and sudo keyctl list @s and see if the keyring is being replaced. On Thu, 2015-12-31 at 00:05 +0100, Alexander Lazarević wrote: > Hi! > > I just recently upgraded to ubuntu 15.10 and I am using the openafs > client 1.6.16-0ppa1~ubuntu15.10.2. With the switch to 15.10 I started > to notice tokens to "disappear". > > The following is an example of how to reliable make tokens disappear > for me: > > aklog; tokens; sudo ls /dev/null; tokens > > Tokens held by the Cache Manager: > > User's (AFS ID 2) tokens for a...@mydomain.com [Expires Dec 31 > 09:50] > --End of list-- > /dev/null > > Tokens held by the Cache Manager: > > --End of list-- > > I can't remember that this would happen. But I surely could be wrong?! > > Regards, > Alex ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Token gone after sudo?!
It's very likely to be an issue with the PAM configuration, yes. I think we've seen some cases where it was pam_afs_session that was misconfigured and not pam_keyring, but I didn't check the archives, myself. -Ben On Thu, 31 Dec 2015, Chas Williams wrote: > It's probably that your /etc/pam.d/sudo is using pam_keyring.so > to set up a new keyring when you sudo. > > Do a keyctl list @s before and sudo keyctl list @s and see if > the keyring is being replaced. > > On Thu, 2015-12-31 at 00:05 +0100, Alexander Lazarević wrote: > > Hi! > > > > I just recently upgraded to ubuntu 15.10 and I am using the openafs > > client 1.6.16-0ppa1~ubuntu15.10.2. With the switch to 15.10 I started > > to notice tokens to "disappear". > > > > The following is an example of how to reliable make tokens disappear > > for me: > > > > aklog; tokens; sudo ls /dev/null; tokens > > > > Tokens held by the Cache Manager: > > > > User's (AFS ID 2) tokens for a...@mydomain.com [Expires Dec 31 > > 09:50] > > --End of list-- > > /dev/null > > > > Tokens held by the Cache Manager: > > > > --End of list-- > > > > I can't remember that this would happen. But I surely could be wrong?! > > > > Regards, > > Alex > ___ > OpenAFS-info mailing list > OpenAFS-info@openafs.org > https://lists.openafs.org/mailman/listinfo/openafs-info >
[OpenAFS] Token gone after sudo?!
Hi! I just recently upgraded to ubuntu 15.10 and I am using the openafs client 1.6.16-0ppa1~ubuntu15.10.2. With the switch to 15.10 I started to notice tokens to "disappear". The following is an example of how to reliable make tokens disappear for me: aklog; tokens; sudo ls /dev/null; tokens Tokens held by the Cache Manager: User's (AFS ID 2) tokens for a...@mydomain.com [Expires Dec 31 09:50] --End of list-- /dev/null Tokens held by the Cache Manager: --End of list-- I can't remember that this would happen. But I surely could be wrong?! Regards, Alex