Bug 157109 - [PATCH] pam_krb5 does not properly determine the name of the local AFS cell
[PATCH] pam_krb5 does not properly determine the name of the local AFS cell
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: pam_krb5 (Show other bugs)
4.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
Brian Brock
http://www-personal.engin.umich.edu/~...
: Patch
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-05-06 17:44 EDT by wingc
Modified: 2010-02-12 13:28 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-02-12 13:28:45 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
use VIOC_GET_WS_CELL to obtain the name of the local cell (2.41 KB, patch)
2005-05-06 17:44 EDT, wingc
no flags Details | Diff

  None (edit)
Description wingc 2005-05-06 17:44:45 EDT
Created attachment 114102 [details]
use VIOC_GET_WS_CELL to obtain the name of the local cell
Comment 1 wingc 2005-05-06 17:44:45 EDT
Description of problem:

pam_krb5 is using the VIOC_FILE_CELL_NAME pioctl to determine the name of the
local cell. It is basically doing the equivalent of:

    fs whichcell /afs

(using the 'fs' command from AFS). This is wrong in the case where the
workstation is using the dynamic root feature of OpenAFS. When -dynroot is
enabled the name of the cell containing /afs is 'dynroot'. The actual "local
cell" of the workstation may differ from the name of the cell containing the
root of /afs; in OpenAFS, for instance, the local cell name is configured in the
file /usr/vice/etc/ThisCell.

Fortunately, we don't need to know where a particular AFS client's configuration
files are located. There is a standard pioctl interface for determining the name
of the local cell, VIOC_GET_WS_CELL. pam_krb5 should use this instead and then
it will work properly when dynamic root is enabled.

Version-Release number of selected component (if applicable):

Tested on RHEL4, pam_krb5-2.1.2-1

How reproducible:

Always.

Steps to Reproduce:
1. Enable -dynroot in OpenAFS. (current OpenAFS releases enable it by default)
2. Try to log in using pam_krb5afs. (with home directory in /afs)

Actual results:

pam_krb5afs attempts to get tokens in a cell named 'dynroot', not your actual
local cell.

Expected results:

pam_krb5afs should attempt to get tokens for the workstation's local cell. (as
configured in /usr/vice/etc/ThisCell on OpenAFS, etc)

Additional info:

A patch to fix this problem is available at:

http://www-personal.engin.umich.edu/~wingc/patches/pam_krb5/pam_krb5-2.1.2-wscell.patch
Comment 2 Nalin Dahyabhai 2010-02-12 13:28:45 EST
This was incorporated into 2.1.6.  Closing.

Note You need to log in before you can comment on or make changes to this bug.