Why pam and not an auth plugin? not that pam is necessarily a bad idea.
On Mon, Dec 19, 2011 at 3:51 PM, Dave Botsch <[email protected]> wrote: > Just to clarify, at the moment, I'm not trying to make it work with ssh. > I'm working with loginwindow, which makes use of the > /etc/pam.d/authorization file . > > From my initial post, you'll see that pam-afs-session is indeed after > pam_krb5 . You'll also see that the pam-afs-session in the "session" > section never gets called (some oddity with loginwindow?). > > On Mon, Dec 19, 2011 at 12:49:42PM -0800, Russ Allbery wrote: >> Derrick Brashear <[email protected]> writes: >> >> > yeah, that's going to be the issue; the "answer" will either be that >> > afs_session needs to run after the krb5 module does whichever step >> > writes out the creds for real, or that it will have to learn how to raid >> > the temp kcm cache. >> >> The setcred step in pam_krb5 should do this, and pam_afs_session is always >> recommended to be run after pam_krb5 in auth for this reason. Maybe Mac >> OS X's native pam_krb5 doesn't write the ticket cache out until the >> session is created? If so, one fix may be to remove pam_afs_session from >> the auth stack entirely (although this will break with non-interactive >> ssh). >> >> -- >> Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> >> > > -- > ******************************** > David William Botsch > Programmer/Analyst > CNF Computing > [email protected] > ******************************** > _______________________________________________ > OpenAFS-info mailing list > [email protected] > https://lists.openafs.org/mailman/listinfo/openafs-info -- Derrick _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
