[OpenAFS] Solaris 10 (x86): pam_afs_session

Russ Allbery rra@stanford.edu
Wed, 23 Jan 2008 13:24:13 -0800

John Tang Boyland <boyland@cs.uwm.edu> writes:

> ] It looks like you're not running pam_krb5 in the session stack.  pam_krb5
> ] should be listed in the session stack before pam_afs_session, and that
> ] will probably fix the problem.
> (BTW: This is Sun-provided pam_krb5)

Ah, hm.  I wonder if the Sun-provided pam_krb5 won't write out the ticket
cache during pam_open_session the way that mine will.

You may have to try Unix first and then try pam_krb5 so that you can put
pam_afs_session into the auth group.  Something like:

dtlogin   auth requisite          pam_authtok_get.so.1
dtlogin   auth required           pam_dhkeys.so.1
dtlogin   auth required           pam_unix_cred.so.1
dtlogin   auth sufficient         pam_unix_auth.so.1
dtlogin   auth required           pam_krb5.so.1
dtlogin   auth required           pam_afs_session.so.1

Alternately, you can use my pam-krb5 module, which will write out the
ticket cache during open_session.

Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>