[OpenAFS] Solaris 10 (x86): pam_afs_session
Wed, 23 Jan 2008 10:45:09 -0800
John Tang Boyland <email@example.com> writes:
> I'm using pam_afs_session (v1.4) on Solaris 10 (x86 Generic_120012-14)
> and have an interesting problem: the screen login system starts the
> session before it does the authentication. I have the Sun-provided
> pam_krb5 in the pam stack for auth, but it gets called AFTER
> pam_afs_session has tried to get an AFS token (verified using truss).
> The workaround is to log on twice: the first time fails because it
> doesn't get a token, but it does get the krb5 TGT. Then the second
> time, it picks up the *old* TGT and gets an AFS token.
It looks like you're not running pam_krb5 in the session stack. pam_krb5
should be listed in the session stack before pam_afs_session, and that
will probably fix the problem.
Russ Allbery (firstname.lastname@example.org) <http://www.eyrie.org/~eagle/>