Hello! I have found some problem in the specification (or is it just my poorly equipped brain's problem?). Sorry if I missed a relevant discussion on the list. pam_setcred() might be called either before or after session initialization. The docs (http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam_appl-3.html) say: "It is usually called after the user has been authenticated, after the account management function has been called but before a session has been opened for the user." That is, no *enforced* order. In other random pam-docs on the net I read even that "pam_setcred() is usually called after a session has been opened"... But then, there are things we may want to do by session pam-modules, that need credentials - to be established by other modules, like pam_kcoda that needs kerberos credentials. If I stack the modules like auth pam_krb5.so session pam_kcoda.so It may work and may not work depending on when an application calls pam_setcred(). And when the application does it the other way around, I have no possibility to make it to work with kerberos and coda, without combining both modules into one (or providing them with peer-to-peer knowledge inside pam framework) - thus creating unnecessary complications in development and support, totally against the idea of modularization. The problem might go away if we demand that "pam_setcred() has to be called after successful authentication and before pam_open_session()" It should not sacrifice compatibility with other pam implementations as long as nobody else demands exactly otherwise. Regards, -- Ivan
