Bug 157109 - [PATCH] pam_krb5 does not properly determine the name of the local AFS cell
Summary: [PATCH] pam_krb5 does not properly determine the name of the local AFS cell
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: pam_krb5   
(Show other bugs)
Version: 4.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Nalin Dahyabhai
QA Contact: Brian Brock
URL: http://www-personal.engin.umich.edu/~...
Whiteboard:
Keywords: Patch
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-05-06 21:44 UTC by wingc
Modified: 2010-02-12 18:28 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-02-12 18:28:45 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
use VIOC_GET_WS_CELL to obtain the name of the local cell (2.41 KB, patch)
2005-05-06 21:44 UTC, wingc
no flags Details | Diff

Description wingc 2005-05-06 21:44:45 UTC
Created attachment 114102 [details]
use VIOC_GET_WS_CELL to obtain the name of the local cell

Comment 1 wingc 2005-05-06 21:44:45 UTC
Description of problem:

pam_krb5 is using the VIOC_FILE_CELL_NAME pioctl to determine the name of the
local cell. It is basically doing the equivalent of:

    fs whichcell /afs

(using the 'fs' command from AFS). This is wrong in the case where the
workstation is using the dynamic root feature of OpenAFS. When -dynroot is
enabled the name of the cell containing /afs is 'dynroot'. The actual "local
cell" of the workstation may differ from the name of the cell containing the
root of /afs; in OpenAFS, for instance, the local cell name is configured in the
file /usr/vice/etc/ThisCell.

Fortunately, we don't need to know where a particular AFS client's configuration
files are located. There is a standard pioctl interface for determining the name
of the local cell, VIOC_GET_WS_CELL. pam_krb5 should use this instead and then
it will work properly when dynamic root is enabled.

Version-Release number of selected component (if applicable):

Tested on RHEL4, pam_krb5-2.1.2-1

How reproducible:

Always.

Steps to Reproduce:
1. Enable -dynroot in OpenAFS. (current OpenAFS releases enable it by default)
2. Try to log in using pam_krb5afs. (with home directory in /afs)

Actual results:

pam_krb5afs attempts to get tokens in a cell named 'dynroot', not your actual
local cell.

Expected results:

pam_krb5afs should attempt to get tokens for the workstation's local cell. (as
configured in /usr/vice/etc/ThisCell on OpenAFS, etc)

Additional info:

A patch to fix this problem is available at:

http://www-personal.engin.umich.edu/~wingc/patches/pam_krb5/pam_krb5-2.1.2-wscell.patch

Comment 2 Nalin Dahyabhai 2010-02-12 18:28:45 UTC
This was incorporated into 2.1.6.  Closing.


Note You need to log in before you can comment on or make changes to this bug.