So, both the Linux-PAM and Solaris documentation tell authors to call pam_open_session before pam_setcred. I don't understand why this would ever be useful and have examples of cases where it would be a bad idea. In particular, I'm looking at the interactions between Kerberos modules and session modules that depend on access to network credentials. It seems that the Kerberos module should make tickets available (write them out to disk as the user) in the pam_setcred call. This seems an appropriate use of the call and works quite well in most cases. But then it seems that it would be a session level activity to mount a homedir, or create a homedir, or in my case let AFS know about tokens. None of these activities have anything to do with authentication, but all of them could depend on having access to network authentication made available in setcred. For example, I could be using a networked filesystem with authentication to mount the homedir. I could desire to log into a database to get information on the initial contents of the homedir, authenticating to the database with the network identity of the already authenticated user. In the AFS case I need the credentials to convert them into tokens. I'll take a moment to counter the argument that AFS tokens have something to do with authentication. It is true that Transarc ships a PAM module that uses AFS tokens for authentication. This authentication is very weak (about the same level as NIS) because the client never authenticates the identity of the AFS server. In the case where you have Kerberos infrastructure and are just using AFS as a filesystem, you don't care about AFS for authentication, and just want to make the credentials available to the kernel. So, I am maintaining a module (libpam-openafs-session) for Debian that attempts to get AFS tokens. Previously it only worked as a session module, but I'm trying to add authentication support to the module for setcred. I'm running into the annoying problem that there appears to be no valid configuration for the module. I really want the Kerberos module to be sufficient because I want to allow users with local accounts to use pam_unix.so, so I need to make pam_unix.so be more than just optional so people with neither local accounts nor Kerberos authentication will fail. However, the openafs auth setcred call needs to happen after the Kerberos setcred call so it can get to the credentials. Sadly, if the sufficient Kerberos module succeeds no other modules will be tried. To me, this is a fairly strong argument that AFS tokens cannot be an authentication activity--you want them to get set up even if you have already established sufficient authentication beforehand.
