pam_krb5 authenticates when I have it enabled in pam.d but it fails before storing a ticket in /tmp. I have tracked it down so far to pam_set_data/pam_get_data. Everything appears to be good and working in pam_sm_authenticate, I can pam_get_data after it's set perfectly fine. But in pam_sm_setcred in pam_krb5, which gets called after pam_sm_authenticate completes, pam_get_data fails to retrieve it's ccache data and fails. Now I'm stumped where to look. How-To-Repeat: setup kerberos so you can kinit and kdestroy from a machine. Then on that machine enable kerberos through: auth sufficient pam_krb5.so debug no_warn try_first_pass Do this to login or ssh in the auth section. Use a different password for kerberos so you know what is authenticating. Use PAM_DEBUG versions of libpam.so.5 and pam_krb5.so.5 to see messages in /var/log/debug.log
I have repro'd the same issue. I was reviewing the apple code here : http://www.opensource.apple.com/source/pam_modules/pam_modules-6/pam_krb5/pam_krb5.c I think they were also trying to fix the same error as they replaced pam_get_data/pam_set_data with pam_getenv/pam_setenv (but only halfway through the code)
Ok I did some additional digging. It seems that this only happens with forking pam applications. For instance the "bug" manifests itself with sshd but not with login. see this for a possible reason: http://www.redhat.com/archives/pam-list/2007-September/msg00040.html based on that it seems that pam_sm_authenticate and pam_sm_setcred are running in two different processes.
This is specific to sshd. It runs pam_open_session(3) in a different process than pam_authenticate(3), so the ticket that pam_krb5(8) received while executing the latter is not available when executing the former. This is a fundamental flaw in (depending on who you ask) PAM, OpenSSH, or the way PAM is integrated into OpenSSH.