source: trunk/debathena/config/pam-config/debian/README.pam-afs-session @ 24465

Revision 24465, 845 bytes checked in by broder, 14 years ago (diff)
Add a detailed note about why pam-afs-session isn't being used as an auth module.
RevLine 
[24465]1pam_afs_session exports an auth interface to make sure it gets run
2when PAM users call pam_setcred instead of
3pam_open_session. Screensavers, for instance, do this.
4
5debathena-pam-config, however, does not configure pam_afs_session's
6auth component.
7
8Because sudo's PAM configuration only includes /etc/pam.d/common-auth
9and not /etc/pam.d/common-session, configuring pam_afs_session as an
10auth module caused it to run under sudo when previously
11pam_athena_locker did not.
12
13Configuring the auth module, combined with the fact that sudo doesn't
14seem to set PAM's environment correctly, would cause pam_afs_session
15to get run when sudo executed its PAM stack, create a new PAG, but
16fail to get tokens (because KRB5CCNAME isn't set).
17
18Since part of the debathena-cluster login process is run through sudo,
19this would cause users to not get tokens.
Note: See TracBrowser for help on using the repository browser.