Found it. A combination of long lived (24h) tokens and frequent, short lived sessions (imap, pop) filled up the vmalloc area. The odd thing is that the afs client doesn't seem to free up vmalloc space when tokens are destroyed (say, through pam_krb5 or unlog). The memory remains allocated until some time after the token expires. Is that expected?
you could try enabling pag garbage collection sysctl -w afs.GCPAGs=1This will cause afs to (once an hour) scan all running processes to find out which pags have processes in them, and purge the tokens and connections (which I think is the problem here) belonging to pags that have no members.
p7sei89jen2QQ.p7s
Description: S/MIME cryptographic signature
