[OpenAFS] pam-afs-session on OS X Lion

Russ Allbery rra@stanford.edu
Mon, 19 Dec 2011 12:49:42 -0800

Derrick Brashear <shadow@gmail.com> writes:

> yeah, that's going to be the issue; the "answer" will either be that
> afs_session needs to run after the krb5 module does whichever step
> writes out the creds for real, or that it will have to learn how to raid
> the temp kcm cache.

The setcred step in pam_krb5 should do this, and pam_afs_session is always
recommended to be run after pam_krb5 in auth for this reason.  Maybe Mac
OS X's native pam_krb5 doesn't write the ticket cache out until the
session is created?  If so, one fix may be to remove pam_afs_session from
the auth stack entirely (although this will break with non-interactive

Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>