[OpenAFS] Solaris 10 (x86): pam_afs_session
Douglas E. Engert
deengert@anl.gov
Tue, 26 Feb 2008 15:55:39 -0600
Russ Allbery wrote:
> "Douglas E. Engert" <deengert@anl.gov> writes:
>> Russ Allbery wrote:
>
>>> Unless you use the always_aklog option, pam_afs_session will do nothing
>>> unless KRB5CCNAME is set, precisely to avoid picking up old ticket
>>> caches like this using the default ticket cache name.
>
>> Turns out with the Solaris 10 pam_krb5, KRB5CCNAME is set.
>>
>> For testing I used a script inplace of program=aklog, to dump the args,
>> environment, uid, gid, pid, ppid and groups and tokens before calling
>> aklog.
>
> Oh, right, I remember this now. It sets KRB5CCNAME before it writes out
> the ticket cache. Sigh.
>
> Okay, I'll also add to the documentation that pam_afs_session should not
> be run from the session stack on Solaris, only the auth stack.
Accept for the PAM service of ssh-gssapi, it should be run in session,
as there is no PAM auth.
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444