I'm using pam_afs_session (v1.4) on Solaris 10 (x86 Generic_120012-14) and have an interesting problem: the screen login system starts the session before it does the authentication. I have the Sun-provided pam_krb5 in the pam stack for auth, but it gets called AFTER pam_afs_session has tried to get an AFS token (verified using truss). The workaround is to log on twice: the first time fails because it doesn't get a token, but it does get the krb5 TGT. Then the second time, it picks up the *old* TGT and gets an AFS token.
What's even more interesting is that the vendor supplied sshd does the "correct" thing: gets the TGT before calling pam_afs_session. It seems then that the bug is with the Solaris screen login system, not with pam_afs_session. Here's the relevant part of pam.conf: # ... # # Default definitions for Authentication management # Used when service name is not explicitly mentioned for authentication # other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth sufficient pam_krb5.so.1 debug other auth required pam_unix_auth.so.1 # # ... # # Default definition for Session management # Used when service name is not explicitly mentioned for session management # other session required pam_unix_session.so.1 other session required pam_afs_session.so always_aklog # The only entries that don't use the "other" "auth" line are krlogin, rsh, krsh, ktelnet, passwd, none of which I use. The "session" lines above are the only ones for "session" in pam.conf. John _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
