Hi Dave, > What does your pam config file for the screensaver look like? the gnome-screensaver pam config file:
@include common-auth auth optional pam_gnome_keyring.so common-auth config file: auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000 auth [success=2 default=ignore] pam_unix.so nullok_secure try_first_pass auth [success=1 default=ignore] pam_sss.so use_first_pass # here's the fallback if no module succeeds auth requisite pam_deny.so debug # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around auth required pam_permit.so # and here are more per-package modules (the "Additional" block) auth optional pam_afs_session.so auth optional pam_cap.so # end of pam-auth-update config pam_afs_session is configured as optional and without always_aklog ... On Ubuntu 16.04 , AFS 1.6.20 from ppa, kernel 4.4, it is fine. Same pam config like in this post for ubuntu 16.10. > > On Thu, Mar 30, 2017 at 03:53:24PM +0200, Andreas Ladanyi wrote: >> Hi guys, >> >> i tested: >> >> Ubuntu 16.10, Gnome, Kernel 4.8 >> >> current OpenAFS 1.6.20 from ppa. >> >> After relogin from screensaver dialog the kerberos tgt and afs service >> ticket are renewed but the afs token isnt renewed. There is no >> "always_aklog" flag at pam_afs_session.so line in pam common-auth file. >> >> If i try this relogin procedure with OpenAFS 1.6.18 from the distri repo >> the afs token is also renewed. >> >> >> regards, >> >> Andreas >> >> > >
smime.p7s
Description: S/MIME Cryptographic Signature
