[OpenAFS] Russ' pam_krb5+pam_afs_session on Solaris?

Alf Wachsmann alfw@slac.stanford.edu
Tue, 22 Jan 2008 10:56:42 -0800 (PST)


I now have Russ Allbery's pam_krb5+pam_afs_session working great
on Solaris 10 with one little exception.

When I lock the screen, I get a refreshed K5 ticket but no new AFS token.
The syslog messages for dtsession are:

(pam_krb5): alfw: <unknown>: exit (success) pam_roles:pam_sm_acct_mgmt: service = dtsession user = alfw ruser = not set rhost = not set
(pam_krb5): alfw: <unknown>: entry (0x0)
(pam_krb5): alfw: retrieving principal from cache
(pam_krb5): alfw: <unknown>: exit (success)
pam_unix_account: entering pam_sm_acct_mgmt() Unix Policy:alfw, pw=Unix PW, lstchg=-1, min=-1, max=-1, warn=-1, inact=-1, expire=-1
(pam_krb5): alfw: <unknown>: entry (0x8)
(pam_krb5): alfw: refreshing ticket cache /tmp/krb5cc_5828_f8aqD0
(pam_krb5): alfw: <unknown>: exit (success)
(pam_afs_session): <unknown>: entry (0x8)
(pam_afs_session): skipping, AFS apparently not available
(pam_afs_session): <unknown>: exit (success)

I have no idea why pam_afs_session's k_hasafs() call fails here.

My pam.conf section for dtsession is:

dtsession       auth required   pam_krb5_russ.so debug ignore_root
dtsession       auth required   pam_afs_session.so debug ignore_root nopag program=/afs/slac.stanford.edu/package/heimdal/1.0.2/bin/afslog
dtsession       auth sufficient pam_unix_auth.so.1

When I omit pam_afs_session.so in dtsession's auth section and only
have it as "required" in the "other session" section, pam_afs_session
is not called at all when unlocking the screen.

Is this working for anyone? How?

Many thanks,

   Alf Wachsmann                       | e-mail: alfw@slac.stanford.edu
   SLAC - Scientific Computing         | Phone:  +1-650-926-4802
   2575 Sand Hill Road, M/S 97         | FAX:    +1-650-926-3329
   Menlo Park, CA 94025, USA           | Office: Bldg. 50/323
                 http://www.slac.stanford.edu/~alfw (PGP)