Krb5-auth-dialog now sends DBus signals when you acquire or renew your Kerberos ticket granting ticket and when the ticket expires. When using OpenAFS This can e.g. be used to trigger a call to aklog on ticket renewal. It's simple to catch the DBus signals from a Python script:
import dbus bus = dbus.SessionBus() bus.add_signal_receiver(tgt_renewed_handler, dbus_interface = "org.gnome.KrbAuthDialog", signal_name = "krb_tgt_renewed") bus.add_signal_receiver(tgt_acquired_handler, dbus_interface = "org.gnome.KrbAuthDialog", signal_name = "krb_tgt_acquired") bus.add_signal_receiver(tgt_expired_handler, dbus_interface = "org.gnome.KrbAuthDialog", signal_name = "krb_tgt_expired")
The tgt_*_handler will then be called when the signal is received. The shipped Python example allows to execute a script already:
tgt-signals.py -q --acquired-action=aklog --renewed-action=aklog
Krb5-auth-dialog also got a plugin system so you could use a loadable module for these kind of things instead. It already ships a PAM plugin that can be used to run some typical actions like calling pam-afs-session or getting kx509 set up.
You need to tell krb5-auth-dialog which plugins to load via gconf. To load the dummy and PAM plugins use:
gconftool-2 --set --list-type=string --type=list /apps/krb5-auth-dialog/plugins/enabled [pam,dummy]
Since I'm not using AFS or kx509 myself I'd be interested to know if this works out as expected.
If you want to write your one plugins you can use the dummy plugin as a basis.
A package with the above enabled has been uploaded to Debian experimental.