[OpenAFS] pam-afs-session on OS X Lion
Derrick Brashear
shadow@gmail.com
Tue, 20 Dec 2011 00:11:32 -0500
Why pam and not an auth plugin?
not that pam is necessarily a bad idea.
On Mon, Dec 19, 2011 at 3:51 PM, Dave Botsch <botsch@cnf.cornell.edu> wrote=
:
> Just to clarify, at the moment, I'm not trying to make it work with ssh.
> I'm working with loginwindow, which makes use of the
> /etc/pam.d/authorization file .
>
> From my initial post, you'll see that pam-afs-session is indeed after
> pam_krb5 . You'll also see that the pam-afs-session in the "session"
> section never gets called (some oddity with loginwindow?).
>
> On Mon, Dec 19, 2011 at 12:49:42PM -0800, Russ Allbery wrote:
>> Derrick Brashear <shadow@gmail.com> writes:
>>
>> > yeah, that's going to be the issue; the "answer" will either be that
>> > afs_session needs to run after the krb5 module does whichever step
>> > writes out the creds for real, or that it will have to learn how to ra=
id
>> > the temp kcm cache.
>>
>> The setcred step in pam_krb5 should do this, and pam_afs_session is alwa=
ys
>> recommended to be run after pam_krb5 in auth for this reason. =A0Maybe M=
ac
>> OS X's native pam_krb5 doesn't write the ticket cache out until the
>> session is created? =A0If so, one fix may be to remove pam_afs_session f=
rom
>> the auth stack entirely (although this will break with non-interactive
>> ssh).
>>
>> --
>> Russ Allbery (rra@stanford.edu) =A0 =A0 =A0 =A0 =A0 =A0 <http://www.eyri=
e.org/~eagle/>
>>
>
> --
> ********************************
> David William Botsch
> Programmer/Analyst
> CNF Computing
> botsch@cnf.cornell.edu
> ********************************
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
--=20
Derrick