Bug#621496: libpam-afs-session: AFS token is lost on sudo

Mon, 06 Jun 2011 18:21:37 -0700 

Erik Dalén <erik.da...@jadestone.se> writes:

> /etc/pam.d/common-session
> # here are the per-package modules (the "Primary" block)
> session [default=1]                     pam_permit.so
> # here's the fallback if no module succeeds
> session requisite                       pam_deny.so
> # prime the stack with a positive return value if there isn't one already;
> # this avoids us returning an error just because nothing sets a success code
> # since the modules above will each just jump around
> session required                        pam_permit.so
> # and here are more per-package modules (the "Additional" block)
> session optional                        pam_krb5.so minimum_uid=1000
> session required        pam_unix.so
> session optional                        pam_afs_session.so
> # end of pam-auth-update config

> And in /etc/sudoers.d I have a file that specifies:
> %wheel  ALL=(ALL)       NOPASSWD: ALL

> and I am a member of group 'wheel'.

Sorry about the delay in getting back to you about this.  I finally got a
chance to look at this in more depth.

After doing some testing, I think the common-auth configuration is a red
herring, and the root of the problem was that pam-afs-session didn't think
that Kerberos had been used as a login method and therefore didn't run
aklog.  Since your sudoers configuration file includes NOPASSWD, you
wouldn't have to do a Kerberos authentication when you sudo, which means
that pam-krb5 is not run and doesn't create KRB5CCNAME in the PAM
environment.  (Although I'm a little confused how this ever worked even
when adding pam-afs-session to a different section of the auth
configuration, since it looks to me like the problem should have affected
pam-afs-session run in that fashion as well.)

The next version of pam-afs-session will fall back on KRB5CCNAME in the
general environment if it is set and KRB5CCNAME is not set in the PAM
environment.  In my testing, this resolved the problem with this
configuration.  The Debian bug tracking system will let you know when I
upload the new package, and testing would be very welcome.  Please do let
me know if this doesn't work.  Alternately, if you want to try the current
development source right away, it's available from my Git repository
linked from:

    http://www.eyrie.org/~eagle/software/pam-afs-session/

-- 
Russ Allbery (r...@debian.org)               <http://www.eyrie.org/~eagle/>



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to