pam_setcred man page
pam_setcred — establish / delete user credentials
int pam_setcred(pam_handle_t *pamh, int flags);
The pam_setcred function is used to establish, maintain and delete the credentials of a user. It should be called to set the credentials after a user has been authenticated and before a session is opened for the user (with pam_open_session(3)). The credentials should be deleted after the session has been closed (with pam_close_session(3)).
A credential is something that the user possesses. It is some property, such as a Kerberos ticket, or a supplementary group membership that make up the uniqueness of a given user. On a Linux system the user's UID and GID's are credentials too. However, it has been decided that these properties (along with the default supplementary groups of which the user is a member) are credentials that should be set directly by the application and not by PAM. Such credentials should be established, by the application, prior to a call to this function. For example, initgroups(2) (or equivalent) should have been performed.
Valid flags, any one of which, may be logically OR'd with PAM_SILENT, are:
Initialize the credentials for the user.
Delete the user's credentials.
Fully reinitialize the user's credentials.
Extend the lifetime of the existing credentials.
Memory buffer error.
Failed to set user credentials.
User credentials are expired.
Failed to retrieve user credentials.
Data was successful stored.
A NULL pointer was submitted as PAM handle, the function was called by a module or another system error occured.
User is not known to an authentication module.
pam_authenticate(3), pam_open_session(3), pam_close_session(3), pam_strerror(3)
pam(3), pam_authenticate(3), pam_chauthtok(3), pam_filter(8), pam_sm_setcred(3), pam_tally2(8).