[OpenAFS] pam_afs_session.so is unable to find Kerberos ticket cache file

Russ Allbery rra@stanford.edu
Thu, 10 Dec 2009 12:50:02 -0800

Holger Rauch <holger.rauch@empic.de> writes:

> thanks for pointing this out. Indeed, that was the problem. What I
> don't understand is that even though I have

> forwardable = true

> in both pam and kinit sections within [appdefaults] in my
> /etc/krb5.conf, I still have to explicitly specify "kinit -f" in order
> to get forwardable tickets. Any idea why? (I admit that this is sort of
> OT and no really OpenAFS but rather Kerberos related).

MIT Kerberos doesn't pay any attention to the [appdefaults] section for
kinit.  My PAM module pays attention to forwardable in the [appdefaults]
section, but I'm not sure if the Red Hat version does.

Putting forwardable = true in [libdefaults] configures the underlying
Kerberos libraries and therefore tends to affect everything.

Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>