Call pam_setcred() before login_getpwclass to support home directories

on GSS-API authenticated NFS where the kerberos credentials need to be
saved so that the kernel can authenticate to the NFS server.

1 files changed, 14 insertions, 2 deletions

diff --git a/usr.bin/login/login.c b/usr.bin/login/login.c
index e671c8d..1de440b 100644
--- a/usr.bin/login/login.c
+++ b/usr.bin/login/login.c
@@ -380,6 +380,19 @@ main(int argc, char *argv[])
 		au_login_success();
 #endif
 
+        /*
+         * This needs to happen before login_getpwclass to support
+         * home directories on GSS-API authenticated NFS where the
+         * kerberos credentials need to be saved so that the kernel
+         * can authenticate to the NFS server.
+         */
+	pam_err = pam_setcred(pamh, pam_silent|PAM_ESTABLISH_CRED);
+	if (pam_err != PAM_SUCCESS) {
+		pam_syslog("pam_setcred()");
+		bail(NO_SLEEP_EXIT, 1);
+	}
+	pam_cred_established = 1;
+
 	/*
 	 * Establish the login class.
 	 */
@@ -513,12 +526,11 @@ main(int argc, char *argv[])
 		bail(NO_SLEEP_EXIT, 1);
 	}
 
-	pam_err = pam_setcred(pamh, pam_silent|PAM_ESTABLISH_CRED);
+	pam_err = pam_setcred(pamh, pam_silent|PAM_REINITIALIZE_CRED);
 	if (pam_err != PAM_SUCCESS) {
 		pam_syslog("pam_setcred()");
 		bail(NO_SLEEP_EXIT, 1);
 	}
-	pam_cred_established = 1;
 
 	pam_err = pam_open_session(pamh, pam_silent);
 	if (pam_err != PAM_SUCCESS) {