[OpenAFS] Solaris 10 (x86): pam_afs_session
Russ Allbery
rra@stanford.edu
Tue, 26 Feb 2008 12:52:37 -0800
"Douglas E. Engert" <deengert@anl.gov> writes:
> Russ Allbery wrote:
>> Unless you use the always_aklog option, pam_afs_session will do nothing
>> unless KRB5CCNAME is set, precisely to avoid picking up old ticket
>> caches like this using the default ticket cache name.
> Turns out with the Solaris 10 pam_krb5, KRB5CCNAME is set.
>
> For testing I used a script inplace of program=aklog, to dump the args,
> environment, uid, gid, pid, ppid and groups and tokens before calling
> aklog.
Oh, right, I remember this now. It sets KRB5CCNAME before it writes out
the ticket cache. Sigh.
Okay, I'll also add to the documentation that pam_afs_session should not
be run from the session stack on Solaris, only the auth stack.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>