Re: Problem with AFS token and sudo in Jessie
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dear all,
I did some tests and got some additional information on the problem:
The token disappears also with the latest
openafs-{krb5,client,modules-dkms} from experimental. I did a test
setup with a clean jessie and upgraded it to unstable, followed by the
installation of said packages from experimental (version 1.6.11~pre1-1).
In addition, it seems the token only disappears when the
Kerberos-username is identical with the Unix username. When I use a
different account (testuser) and get the kerberos token (and AFS token
with aklog) for "kerberosuser" (testuser@sid: kinit kerberosuser), I
can use sudo without affecting the AFS token.
Could it be possibly be something with the PAM stack? I attached the
config files. The only change done to this files after installation
was a change in the minimum_uids.
Also, has anyone a suggestion if I should file a bug for this and if
yes, for which package? I still got no real feeling for where this
comes from, but it makes the use of such systems (sudo@openAFS and
Kerberos) quite annoying.
Best regards,
Christoph Schober
- --
Christoph Schober
GnuPG key Id 0x3B6914EB
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJUkp9uAAoJENHdu+iSulRgwooQAKUg8/jFuI8MrnHCRNKMrZcT
Bs7g8jsThbOgiJ1/xhI/j1lR0yYz1JqjJasBmL6cXTGLw8y4LHjpsKDPGWN9xVxn
IfvttKH0RDXuEMqCubh3mkG61Gkz1aL4N5n0nuHXQAw6iFf0YaOhJN0vnjNVv6QL
rdMJzBJvbKq7vmYJJ8DK0eQp69JsxANDPEhqeC8Nz8kcgjER+dnMKG25Db7Y7EAk
XjcNEldejZhpIHK5JMxaFx84ExqFuTcw4Vdfmu9V+COlh3zNVH1rJMUW+Hs2SddO
qsAePrl9WYdEaLL4F++ds8/GfDyd4gLxMDdgZAuywN/C0/IR0qM2URGrzxRhgZvy
fBLAS7SROiEFLdlPUCol95KINxblH62jEEd7zNeZIJK5V2nqLiOs93Gffcpdyelz
suJ1FURGjMgk5U/9/CxKG3Hl6CUbnGz98vt4pqoOi7iciz87O7iKa7cIEK7U5nw4
u+AmHfSzyD093GzU8QCv+YmUBUHMsa7nswCxURm3fVR92F9h6VFP+sbV7JwM+psA
tdPDtf4A9YajNSuAU6ReVRrmRXArpLZi7bE+ola81rm7SiaiIJ+poX8/LCXSZPEu
e8VBibEfsvdkBXAhGyeElXsWzWQTtDO4I6/9sPy7td603fYIte0rqtsv6wc7Je2x
z6A1mudFeVmymfU57yuL
=fusu
-----END PGP SIGNATURE-----
#
# /etc/pam.d/common-account - authorization settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system. The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
#
# here are the per-package modules (the "Primary" block)
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
# here's the fallback if no module succeeds
account requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required pam_permit.so
# and here are more per-package modules (the "Additional" block)
account required pam_krb5.so minimum_uid=500
account [success=ok new_authtok_reqd=done ignore=ignore user_unknown=ignore authinfo_unavail=ignore default=bad] pam_ldap.so minimum_uid=500
# end of pam-auth-update config
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
auth [success=3 default=ignore] pam_krb5.so minimum_uid=500
auth [success=2 default=ignore] pam_unix.so nullok_secure try_first_pass
auth [success=1 default=ignore] pam_ldap.so use_first_pass minimum_uid=500
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth optional pam_afs_session.so
# end of pam-auth-update config
#
# /etc/pam.d/common-password - password-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define the services to be
# used to change user passwords. The default is pam_unix.
# Explanation of pam_unix options:
#
# The "sha512" option enables salted SHA512 passwords. Without this option,
# the default is Unix crypt. Prior releases used the option "md5".
#
# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
# login.defs.
#
# See the pam_unix manpage for other options.
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
password [success=3 default=ignore] pam_krb5.so minimum_uid=500
password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
password [success=1 default=ignore] pam_ldap.so try_first_pass minimum_uid=500
# here's the fallback if no module succeeds
password requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password required pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
session [default=1] pam_permit.so
# here's the fallback if no module succeeds
session requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required pam_permit.so
# and here are more per-package modules (the "Additional" block)
session optional pam_krb5.so minimum_uid=500
session required pam_unix.so
session [success=ok default=ignore] pam_ldap.so minimum_uid=500
session optional pam_afs_session.so
# end of pam-auth-update config
#%PAM-1.0
@include common-auth
@include common-account
@include common-session-noninteractive
Reply to: