[OpenAFS] Solaris 10 (x86): pam_afs_session

Russ Allbery rra@stanford.edu
Wed, 23 Jan 2008 10:45:09 -0800

John Tang Boyland <boyland@cs.uwm.edu> writes:

> I'm using pam_afs_session (v1.4) on Solaris 10 (x86 Generic_120012-14)
> and have an interesting problem: the screen login system starts the
> session before it does the authentication.  I have the Sun-provided
> pam_krb5 in the pam stack for auth, but it gets called AFTER
> pam_afs_session has tried to get an AFS token (verified using truss).
> The workaround is to log on twice: the first time fails because it
> doesn't get a token, but it does get the krb5 TGT.  Then the second
> time, it picks up the *old* TGT and gets an AFS token.

It looks like you're not running pam_krb5 in the session stack.  pam_krb5
should be listed in the session stack before pam_afs_session, and that
will probably fix the problem.

Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>