Hi, Yes, here at Fermilab we saw this when we first switched to S.L. 4.x based linux. I can't remember all the details, but in the end I found the following to work best for us. pam = { debug = false ticket_lifetime = 100000 renew_lifetime = 100000 forwardable = true krb4_convert = true # True gets AFS tokens afs_cells = fnal.gov # AFS token for right cell ignore_afs = true } Notice the "ignore_afs = true" And then in /etc/profile.d we have # cat /etc/profile.d/z_krb5.csh set path = ( /usr/krb5/bin $path ) if ( `id -u` == 0 ) then set path = ( /usr/krb5/sbin $path ) endif df --type=afs | grep -qi afs if ( $? == 0 ) then /usr/krb5/bin/klist -s > & /dev/null if ( $? == 0 ) then aklog -setpag endif endif # cat /etc/profile.d/z_krb5.sh PATH=/usr/krb5/bin:${PATH} if [ `id -u` = 0 ] ; then PATH=/usr/krb5/sbin:${PATH} fi df --type=afs | grep -qi afs if [ $? -eq 0 ] ; then /usr/krb5/bin/klist -s > /dev/null 2>&1 if [ $? -eq 0 ] ; then aklog -setpag fi fi Now this is setting the default kerberos to be our kerberos, but, it is also checking to see if AFS is on, checking to make sure the user has a kerberos ticket (NOTE: for redhat's kerberos use a different check) and if those two things are true, it then does an aklog with the -setpag setting. This has worked quite well ... and as an extra bonus, we no longer have afs token stealing when two people log into the same account. The exact reason's why we had to do this, as I said I can't remember, but the details are on the afs-info mailling list I believe. Troy Hugo Meiland wrote: > Hi all, > > A quick question before I start bugging the dev list: I'm using SL4.2 as > workstation and authenticate to a MIT kerberos5 server (no krb4 or 524 > services), and use a homedir on our afs cell; To enable this in SL, I use > the pam_krb5 rpm, which is currently version 2.1.8-1. This works, except it > takes about half a minute before the authentication is done, and I'm > connected to my homedir. > > Has anyone seens this on other sites? > > The problem seems to be in the pam_krb5 module which forces krb4 translation > when using afs... > > Some relevant info: > -krb5.conf > pam = { > debug = false > ticket_lifetime = 36000 > renew_lifetime = 36000 > forwardable = true > krb4_convert = false > krb4_get_tickets = false > } > > - pam.d/system-auth > auth sufficient /lib/security/$ISA/pam-krb5afs.so use_first_pass tokens (<- > not sure about the file, but options are correct) > > Thank you in advance! > > Hugo Meiland, > ICT Chemistry Department, > Leiden University, > The Netherlands -- __________________________________________________ Troy Dawson [log in to unmask] (630)840-6468 Fermilab ComputingDivision/CSS CSI Group __________________________________________________