pam_set_cred vs. pam_close_session

["Aaron Cohen" <aaron assonance org>]

Hi there,
   I guess this is about 6 years too late, but I've got a question
about pam session management.

   Specifically, I'm using Linux PAM, pam_krb and util-linux from
Fedora Core 6.  I'm trying to use kerberos to authenticate a script
which synchronizes home directories to a backup server at session
open/close.

login.c from that version of login contains the following:
#  define PAM_END { \
       pam_setcred(pamh, PAM_DELETE_CRED); \
       retcode = pam_close_session(pamh,0); \
       pam_end(pamh,retcode); \
}




I'm very interested in the order of pam_setcred and pam_close_session
there, because it's rather inconvenient to me.  It results in ny
kerberos credentials being deleted before my script gets the chance to
clean up the session.  Is this intentional?  Is it specified somewhere
that it has to happen in this order?  Is there a workaround I could
manage somehow?

Thanks,
Aaron