Here's a config that also adds an auth module.
Priority is 64 as that value is a calculation explained here:
https://wiki.ubuntu.com/PAMConfigFrameworkSpec
pam_krb5 is 704 since it's 512+128+64
Name: AFS Session
Default: yes
Priority: 64
Auth-Type: Additional
Auth:
optional pam_afs_session.so minimum_uid=1000
Session-Type: Additional
Session:
optional pam_afs_session.so minimum_uid=1000
This config results in a common-auth that looks like this:
# here are the per-package modules (the "Primary" block)
auth [success=2 default=ignore] pam_krb5.so minimum_uid=1000
auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth optional pam_afs_session.so minimum_uid=1000
# end of pam-auth-update config
Unfortunately I don't see a way to have it gracefully skip
pam_afs_session if pam_krb5 fails a la Russ' recommended config:
auth [success=ok default=1] pam_krb5.so
auth [default=done] pam_afs_session.so
At least not without modifying the pam-auth-update config for krb5.
--nate
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
