[OpenAFS] issue with Fedora 8 and retaining tokens after graphical login

Simon Wilkinson sxw@inf.ed.ac.uk
Sat, 24 Nov 2007 19:46:52 +0000

On 24 Nov 2007, at 15:02, Andrew Cobaugh wrote:

> In the past (up until Fedora 8), afs has always Just Worked. The
> supplied pam_krb5 was able to obtain a tgt and tokens, both with sshd
> and when logging in through things like gdm.

We've always used either pam_afs2 or pam_afs_session to handle AFS  
tokens, so I can't comment directly on the RedHat pam_krb5 module.

One common problem, however, is if you are calling pam_keyinit in the  
session layer. This resets the default keyring, losing any tokens  
that an auth stack module has inserted into the keyring during the  
authenticate operation. I don't know enough about how the RedHat  
module works to say if it can work around this - but I'd strongly  
suggest that you look at Russ's pam_krb5 and pam_afs_session modules  
(available from http://www.eyrie.org/) which will do the right thing  
in this, and many other, cases.