[OpenAFS] Solaris 10 (x86): pam_afs_session

Russ Allbery rra@stanford.edu
Tue, 26 Feb 2008 12:43:57 -0800


"Douglas E. Engert" <deengert@anl.gov> writes:

> Doing some debugging on Solairs 10 (sparc), I thing *ONE* problem is in
> the pam_afs_session where it uses WIFEXITED. I think it should use both
> WIFEXITED(result) && WEXITSTATUS(result) == 0

Oh, ugh, yes.  You're entirely correct.

> The other problem is with Solaris 10. With the pam_krb5 and dtlogin
> force the use of a user based cache i.e. krb5cc_%uid, if pam_afs_session
> is called for a pam_open_session, it might find the previous contents of
> a cache, as pam_setcred has not been called to store the cred, which
> might result is a very short token lifetime.

Unless you use the always_aklog option, pam_afs_session will do nothing
unless KRB5CCNAME is set, precisely to avoid picking up old ticket caches
like this using the default ticket cache name.

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>