[OpenAFS-port-darwin] Tokens on SSH login?

[Nate Coraor]

Hi all,

I see this has been discussed numerous times, most recently in May of  
'06.  However, I've tried everything I've come across and none of it  
has worked so far.

I have a MIT K5 KDC and OpenAFS 1.4.2(-6, it's debian) server.  My  
10.4.9 client can get K5 tickets as well as tokens via kinit/aklog.   
afslog.loginLogout also works properly with kinit and the  
loginwindow.  Setting 'KerberosAuthentication yes' in sshd_config on  
the OS X client allows kerberos users to login (and after logging in  
they have a new TGT).  But they don't have AFS tokens.  I tried  
changing 'system.login.tty' in /etc/authorization to both  
'builtin:krb5login,privileged' and 'kerberos:login,privileged' (with  
the patched kerberos plugin) but neither seem to have any effect.

What am I missing?

On Linux clients I don't set KerberosAuthentication because there are  
appropriate PAM modules.  But I haven't found any up-to-date krb5/afs  
modules for PAM on Tiger.

Thanks in advance,
--nate