Re: [OpenAFS] screen loses tokens - Solaris 10

2011-08-15 Thread Jeff Blaine 

On 8/15/2011 6:13 PM, Russ Allbery wrote:

Jeff Blaine  writes:


Thanks Russ (and Kevin!).  Both hosts are using that option.



Identical /etc/pam.conf and /etc/krb5.conf files on both
the working and failing hosts.



 login session optional pam_krb5RA.so minimum_uid=92 retain_after_close



I'll play around though.


You need it for pam_afs_session as well.  Try running with debug set for
both and make sure that syslog says that it's not deleting tickets and
tokens during the logout.


That solved it.

Now I wish I could explain why it worked fine on
the one box and not the other.

Thanks.
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] screen loses tokens - Solaris 10

2011-08-15 Thread Russ Allbery 
Jeff Blaine  writes:

> Thanks Russ (and Kevin!).  Both hosts are using that option.

> Identical /etc/pam.conf and /etc/krb5.conf files on both
> the working and failing hosts.

> login session optional pam_krb5RA.so minimum_uid=92 retain_after_close

> I'll play around though.

You need it for pam_afs_session as well.  Try running with debug set for
both and make sure that syslog says that it's not deleting tickets and
tokens during the logout.

-- 
Russ Allbery (r...@stanford.edu) 
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] screen loses tokens - Solaris 10

2011-08-15 Thread Jeff Blaine 

On 8/15/2011 3:34 PM, Russ Allbery wrote:

Jeff Blaine  writes:


How might I go about debugging this?  This happens on a host with
Generic_142900-03 but not on a host with Generic_144488-17 (nor ever on
this latter host at any patch rev -- I have been using/resuming screen
on it for years).



1. Connect to host with PuTTY
2. Confirm krb5 creds and tokens gotten from PAM
3. Start screen
4. Confirm krb5 creds and tokens in screen shell
5. Close PuTTY, "Yes, disconnect"
6. Connect to host with PuTTY
7. Confirm krb5 creds and tokens gotten from PAM
8. Resume screen session
9. Tokens and krb5 creds in screen shell are gone


When you log out of the session from which you started screen, PAM will
destroy your AFS tokens.  If you don't want PAM to destroy AFS tokens on
session close, you need to give the retain_after_close option to
pam-afs-session and pam-krb5.


Thanks Russ (and Kevin!).  Both hosts are using that option.

Identical /etc/pam.conf and /etc/krb5.conf files on both
the working and failing hosts.

login session optional pam_krb5RA.so minimum_uid=92 retain_after_close

I'll play around though.
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] screen loses tokens - Solaris 10

2011-08-15 Thread Kevin Hildebrand 


Sorry, should have mentioned, those are in the section of krb5.conf 
labeled:  [appdefaults]


Kevin


On Mon, 15 Aug 2011, Kevin Hildebrand wrote:



We had problems with tokens disappearing until I added:

   pam = {
   retain_after_close = true
   }

   pam-afs-session = {
   retain_after_close = true
   }

to /etc/krb5.conf.

Kevin


On Mon, 15 Aug 2011, Jeff Blaine wrote:


How might I go about debugging this?  This happens
on a host with Generic_142900-03 but not on a host
with Generic_144488-17 (nor ever on this latter host
at any patch rev -- I have been using/resuming screen
on it for years).

1. Connect to host with PuTTY
2. Confirm krb5 creds and tokens gotten from PAM
3. Start screen
4. Confirm krb5 creds and tokens in screen shell
5. Close PuTTY, "Yes, disconnect"
6. Connect to host with PuTTY
7. Confirm krb5 creds and tokens gotten from PAM
8. Resume screen session
9. Tokens and krb5 creds in screen shell are gone

Common
--
OpenAFS 1.4.14
MIT Kerberos 1.6.3
Screen 4.00.02
sshd_config
pam.conf
pam_afs_session
pam_krb5RA (Russ Alberry's)
No kdestroy in shell dot files

Different
-
SunOS faron.our.org 5.10 Generic_142900-03 sun4u sparc SUNW,Sun-Fire-V490

SunOS cairo.our.org 5.10 Generic_144488-17 sun4u sparc SUNW,Sun-Fire-280R

___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info




___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] screen loses tokens - Solaris 10

2011-08-15 Thread Kevin Hildebrand 


We had problems with tokens disappearing until I added:

pam = {
retain_after_close = true
}

pam-afs-session = {
retain_after_close = true
}

to /etc/krb5.conf.

Kevin


On Mon, 15 Aug 2011, Jeff Blaine wrote:


How might I go about debugging this?  This happens
on a host with Generic_142900-03 but not on a host
with Generic_144488-17 (nor ever on this latter host
at any patch rev -- I have been using/resuming screen
on it for years).

1. Connect to host with PuTTY
2. Confirm krb5 creds and tokens gotten from PAM
3. Start screen
4. Confirm krb5 creds and tokens in screen shell
5. Close PuTTY, "Yes, disconnect"
6. Connect to host with PuTTY
7. Confirm krb5 creds and tokens gotten from PAM
8. Resume screen session
9. Tokens and krb5 creds in screen shell are gone

Common
--
OpenAFS 1.4.14
MIT Kerberos 1.6.3
Screen 4.00.02
sshd_config
pam.conf
pam_afs_session
pam_krb5RA (Russ Alberry's)
No kdestroy in shell dot files

Different
-
SunOS faron.our.org 5.10 Generic_142900-03 sun4u sparc SUNW,Sun-Fire-V490

SunOS cairo.our.org 5.10 Generic_144488-17 sun4u sparc SUNW,Sun-Fire-280R

___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info


___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] screen loses tokens - Solaris 10

2011-08-15 Thread Russ Allbery 
Jeff Blaine  writes:

> How might I go about debugging this?  This happens on a host with
> Generic_142900-03 but not on a host with Generic_144488-17 (nor ever on
> this latter host at any patch rev -- I have been using/resuming screen
> on it for years).

> 1. Connect to host with PuTTY
> 2. Confirm krb5 creds and tokens gotten from PAM
> 3. Start screen
> 4. Confirm krb5 creds and tokens in screen shell
> 5. Close PuTTY, "Yes, disconnect"
> 6. Connect to host with PuTTY
> 7. Confirm krb5 creds and tokens gotten from PAM
> 8. Resume screen session
> 9. Tokens and krb5 creds in screen shell are gone

When you log out of the session from which you started screen, PAM will
destroy your AFS tokens.  If you don't want PAM to destroy AFS tokens on
session close, you need to give the retain_after_close option to
pam-afs-session and pam-krb5.

Alternately, start screen with krenew -t -- screen, which will create
isolated tickets and tokens for the screen process that are disconnected
from your login session.

-- 
Russ Allbery (r...@stanford.edu) 
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

[OpenAFS] screen loses tokens - Solaris 10

2011-08-15 Thread Jeff Blaine 

How might I go about debugging this?  This happens
on a host with Generic_142900-03 but not on a host
with Generic_144488-17 (nor ever on this latter host
at any patch rev -- I have been using/resuming screen
on it for years).

1. Connect to host with PuTTY
2. Confirm krb5 creds and tokens gotten from PAM
3. Start screen
4. Confirm krb5 creds and tokens in screen shell
5. Close PuTTY, "Yes, disconnect"
6. Connect to host with PuTTY
7. Confirm krb5 creds and tokens gotten from PAM
8. Resume screen session
9. Tokens and krb5 creds in screen shell are gone

Common
--
OpenAFS 1.4.14
MIT Kerberos 1.6.3
Screen 4.00.02
sshd_config
pam.conf
pam_afs_session
pam_krb5RA (Russ Alberry's)
No kdestroy in shell dot files

Different
-
SunOS faron.our.org 5.10 Generic_142900-03 sun4u sparc SUNW,Sun-Fire-V490

SunOS cairo.our.org 5.10 Generic_144488-17 sun4u sparc SUNW,Sun-Fire-280R

___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info