Just to clarify, at the moment, I'm not trying to make it work with ssh. I'm working with loginwindow, which makes use of the /etc/pam.d/authorization file .
>From my initial post, you'll see that pam-afs-session is indeed after pam_krb5 . You'll also see that the pam-afs-session in the "session" section never gets called (some oddity with loginwindow?). On Mon, Dec 19, 2011 at 12:49:42PM -0800, Russ Allbery wrote: > Derrick Brashear <[email protected]> writes: > > > yeah, that's going to be the issue; the "answer" will either be that > > afs_session needs to run after the krb5 module does whichever step > > writes out the creds for real, or that it will have to learn how to raid > > the temp kcm cache. > > The setcred step in pam_krb5 should do this, and pam_afs_session is always > recommended to be run after pam_krb5 in auth for this reason. Maybe Mac > OS X's native pam_krb5 doesn't write the ticket cache out until the > session is created? If so, one fix may be to remove pam_afs_session from > the auth stack entirely (although this will break with non-interactive > ssh). > > -- > Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> > -- ******************************** David William Botsch Programmer/Analyst CNF Computing [email protected] ******************************** _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
