Russ Allbery wrote:
"Douglas E. Engert" <[EMAIL PROTECTED]> writes:
Russ Allbery wrote:
Unless you use the always_aklog option, pam_afs_session will do nothing
unless KRB5CCNAME is set, precisely to avoid picking up old ticket
caches like this using the default ticket cache name.
Turns out with the Solaris 10 pam_krb5, KRB5CCNAME is set.
For testing I used a script inplace of program=aklog, to dump the args,
environment, uid, gid, pid, ppid and groups and tokens before calling
aklog.
Oh, right, I remember this now. It sets KRB5CCNAME before it writes out
the ticket cache. Sigh.
Okay, I'll also add to the documentation that pam_afs_session should not
be run from the session stack on Solaris, only the auth stack.
Accept for the PAM service of ssh-gssapi, it should be run in session,
as there is no PAM auth.
--
Douglas E. Engert <[EMAIL PROTECTED]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
