[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Bug in kinit and afslog



Hi,

when I obtain an AFS token from my account (alfw; UID 5828) for an account
with a different Unix UID (vanilla; UID 1820), the resulting AFS token has
the wrong UID stored in it (my own instead of vanilla's) even though the 
credential in that token belongs to the other account.

Here is how to reproduce it:

# /opt/heimdal-1.0/bin/kinit vanilla
vanilla@SLAC.STANFORD.EDU's Password:
# /opt/heimdal-1.0/bin/klist
Credentials cache: FILE:/tmp/krb5cc_3yHsKP
         Principal: vanilla@SLAC.STANFORD.EDU

   Issued           Expires          Principal
Aug  1 09:42:30  Aug  2 10:42:30  krbtgt/SLAC.STANFORD.EDU@SLAC.STANFORD.EDU
Aug  1 09:42:31  Aug  2 10:42:30  afs@SLAC.STANFORD.EDU
# tokens

Tokens held by the Cache Manager:

User's (AFS ID 5828) tokens for afs@slac.stanford.edu [Expires Aug  2 10:42]
    --End of list--


When I use this AFS token to access an AFS directory accessible to account
alfw (uid 5828), I get a permission denied. If I access an AFS directory
accessible to vanilla (uid 1820) it works.

This mislabeling does not happen when I use OpenAFS' aklog to get a
token out of the existing ticket:

# /usr/afsws-1.4.4/bin/aklog
# tokens

Tokens held by the Cache Manager:

User's (AFS ID 1820) tokens for afs@slac.stanford.edu [Expires Aug  2 10:42]
    --End of list--


This is on Linux (RHEL 4 and FC6).

-- Alf.

-----------------------------------------------------------------------
   Alf Wachsmann                       | e-mail: alfw@slac.stanford.edu
   SLAC - Scientific Computing         | Phone:  +1-650-926-4802
   2575 Sand Hill Road, M/S 97         | FAX:    +1-650-926-3329
   Menlo Park, CA 94025, USA           | Office: Bldg. 50/323
-----------------------------------------------------------------------
                 http://www.slac.stanford.edu/~alfw (PGP)
-----------------------------------------------------------------------