[OpenAFS] pam-afs-session on OS X Lion
Dave Botsch
botsch@cnf.cornell.edu
Mon, 19 Dec 2011 15:51:48 -0500
Just to clarify, at the moment, I'm not trying to make it work with ssh.
I'm working with loginwindow, which makes use of the
/etc/pam.d/authorization file .
>From my initial post, you'll see that pam-afs-session is indeed after
pam_krb5 . You'll also see that the pam-afs-session in the "session"
section never gets called (some oddity with loginwindow?).
On Mon, Dec 19, 2011 at 12:49:42PM -0800, Russ Allbery wrote:
> Derrick Brashear <shadow@gmail.com> writes:
>
> > yeah, that's going to be the issue; the "answer" will either be that
> > afs_session needs to run after the krb5 module does whichever step
> > writes out the creds for real, or that it will have to learn how to raid
> > the temp kcm cache.
>
> The setcred step in pam_krb5 should do this, and pam_afs_session is always
> recommended to be run after pam_krb5 in auth for this reason. Maybe Mac
> OS X's native pam_krb5 doesn't write the ticket cache out until the
> session is created? If so, one fix may be to remove pam_afs_session from
> the auth stack entirely (although this will break with non-interactive
> ssh).
>
> --
> Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
>
--
********************************
David William Botsch
Programmer/Analyst
CNF Computing
botsch@cnf.cornell.edu
********************************