[OpenAFS] Solaris 10 (x86): pam_afs_session
John Tang Boyland
Wed, 23 Jan 2008 11:22:55 -0600
I'm using pam_afs_session (v1.4) on Solaris 10 (x86 Generic_120012-14)
and have an interesting problem: the screen login system starts the
session before it does the authentication. I have the Sun-provided
pam_krb5 in the pam stack for auth, but it gets called AFTER
pam_afs_session has tried to get an AFS token (verified using truss).
The workaround is to log on twice: the first time fails because it
doesn't get a token, but it does get the krb5 TGT. Then the second
time, it picks up the *old* TGT and gets an AFS token.
What's even more interesting is that the vendor supplied
sshd does the "correct" thing: gets the TGT before
calling pam_afs_session. It seems then that the bug is with the
Solaris screen login system, not with pam_afs_session.
Here's the relevant part of pam.conf:
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth sufficient pam_krb5.so.1 debug
other auth required pam_unix_auth.so.1
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
other session required pam_unix_session.so.1
other session required pam_afs_session.so always_aklog
The only entries that don't use the "other" "auth" line are krlogin,
rsh, krsh, ktelnet, passwd, none of which I use. The "session"
lines above are the only ones for "session" in pam.conf.