[OpenAFS] Solaris 10 (x86): pam_afs_session

John Tang Boyland boyland@cs.uwm.edu
Wed, 23 Jan 2008 11:22:55 -0600

I'm using pam_afs_session (v1.4) on Solaris 10 (x86 Generic_120012-14)
and have an interesting problem: the screen login system starts the
session before it does the authentication.  I have the Sun-provided
pam_krb5 in the pam stack for auth, but it gets called AFTER
pam_afs_session has tried to get an AFS token (verified using truss).
The workaround is to log on twice: the first time fails because it
doesn't get a token, but it does get the krb5 TGT.  Then the second
time, it picks up the *old* TGT and gets an AFS token.

What's even more interesting is that the vendor supplied
sshd does the "correct" thing: gets the TGT before
calling pam_afs_session.  It seems then that the bug is with the
Solaris screen login system, not with pam_afs_session.

Here's the relevant part of pam.conf:

# ...
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
other   auth requisite          pam_authtok_get.so.1
other   auth required           pam_dhkeys.so.1
other   auth required           pam_unix_cred.so.1
other   auth sufficient         pam_krb5.so.1 debug
other   auth required           pam_unix_auth.so.1
# ...
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
other   session required        pam_unix_session.so.1
other   session required        pam_afs_session.so always_aklog

The only entries that don't use the "other" "auth" line are krlogin,
rsh, krsh, ktelnet, passwd, none of which I use.  The "session"
lines above are the only ones for "session" in pam.conf.