[OpenAFS] pam with krb5 + openafs

[David Miller]

>Does it have to be the screen locker? While it would be fairly natural
>for the PAM module to get a new TGT on unlock if the previous one has
>expired, or even if it hasn't, for simple "kinit -R" one could have a
>separate background daemon (started from the user's .gnomerc or what
>not, within the PAG created by the login process). Just sleep a few
>hours, wake up, kinit -R, go back to sleep if successful, exit if no
>valid TGT. Throw in an aklog invocation too, if you're using the MIT
>client-side tools; Heimdal kinit has afslog built in. The same script
>can be used in long-running batch jobs etc.
>  
>
hmm.. thats a pretty good idea.
a gnome/kde panel applet would be even better.
asks for passwd when ticket expires

quick google turned this up:
http://quackerhead.com/~duff/ticket_applet-2/
it works reasonably well, doesnt seem to support renewable tickets.
and doesnt ask for passwd on expired tickets

>I've had good success on Debian woody with the pam_krb5 from
>sourceforge.net (the June 2003 snapshot, which identifies itself
>internally as 1.3-rc8). Linked against Heimdal rather than MIT;
>that's not a problem in woody as long as you have no library conflicts
>(don't try to mix MIT and Heimdal libs in the same process in Debian
>woody; the problem should have been taken care of for sarge, although
>I haven't actually tested it).
>  
>
okay, I'll try and build it on a machine with nothing but heimdal 
libs/headers installed
where did you get krbafs from ?
the configure from pam_krb5 (from sf.net) never picks up my krbafs, 
which is needed for the afs token fetching stuff.
the 'configure --help' makes reference to a 'hacked krbafs'
any ideas ?
as the sf.net pam_krb5 modules seem to be alot better.

thanks alot for the help.
David