[OpenAFS] pam-afs-session on OS X Lion

Dave Botsch botsch@cnf.cornell.edu
Mon, 19 Dec 2011 15:51:48 -0500

Just to clarify, at the moment, I'm not trying to make it work with ssh.
I'm working with loginwindow, which makes use of the
/etc/pam.d/authorization file .

>From my initial post, you'll see that pam-afs-session is indeed after
pam_krb5 . You'll also see that the pam-afs-session in the "session"
section never gets called (some oddity with loginwindow?).

On Mon, Dec 19, 2011 at 12:49:42PM -0800, Russ Allbery wrote:
> Derrick Brashear <shadow@gmail.com> writes:
> > yeah, that's going to be the issue; the "answer" will either be that
> > afs_session needs to run after the krb5 module does whichever step
> > writes out the creds for real, or that it will have to learn how to raid
> > the temp kcm cache.
> The setcred step in pam_krb5 should do this, and pam_afs_session is always
> recommended to be run after pam_krb5 in auth for this reason.  Maybe Mac
> OS X's native pam_krb5 doesn't write the ticket cache out until the
> session is created?  If so, one fix may be to remove pam_afs_session from
> the auth stack entirely (although this will break with non-interactive
> ssh).
> -- 
> Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>

David William Botsch
CNF Computing