On 12/16/2009 10:24 PM, Russ Allbery wrote: > Jeff Blaine<[email protected]> writes: > >> Yup, they're there, just no tokens. I even tried a pam_krb5RA2.so and >> pam_afs_session2.so built against the Sun kerberos instead of our local >> MIT kerberos for kicks. Same result. > >> ~:faron> kdestroy >> ~:faron> logout >> Connection to faron closed. >> ~:cairo> /usr/bin/ssh -o "GSSAPIDelegateCredentials yes" faron >> ~:faron> klist >> Ticket cache: FILE:/tmp/krb5cc_26560 >> Default principal: [email protected] > >> Valid starting Expires Service principal >> 12/16/09 22:18:51 12/23/09 19:05:33 krbtgt/[email protected] >> renew until 12/23/09 19:05:33 > >> Kerberos 4 ticket cache: /tmp/tkt26560 >> klist: You have no tickets cached >> ~:faron> > > Oh, right, I remember this problem now. This is why Douglas has another > PAM module that does nothing except set KRB5CCNAME in the environment for > use on Solaris. Solaris uses the default UID-based ticket cache and hence > doesn't set KRB5CCNAME in the environment. > > Try adding always_aklog to the pam_afs_session configuration.
Bingo. That worked. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
