[CentOS] pam_mount

Hi all,

I am a bit confused about the usage of pam_mount.

Here is my /etc/pam.d/system-auth:

auth        required      pam_env.so
auth        required      pam_mount.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so sha512 shadow nullok
try_first_pass use_authtok
password    sufficient    pam_krb5.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_krb5.so
session     optional      pam_mount.so

If pam_mount.so is listed in the session definition I will be asked
for the password a second time during SSH login:

At this stage the share is already mounted.

I can just remove the:

session     optional      pam_mount.so

from system-auth which seem to work fine. Even the share is unmounted
successfully on logout.

So my question is: what is the session entry used for within pam_mount
(as the usage is suggested in the man page and in the docs)?

Best Regards
Marcus