Courier is managed by Puppet class hcoop::service::mail::courier
VMail users gain tokens via /etc/courier/get-token and a local modification to the courier authuserdb method
At least through Debian Stretch, courier needs to run with nopag so that vmail users would have tokens, using the following pam config:
# PAM configuration file for Courier IMAP daemon #@include common-auth #@include common-account #@include common-password #@include common-session session required pam_afs_session.so debug nopag always_aklog auth required pam_krb5.so debug auth required pam_afs_session.so debug nopag always_aklog account required pam_krb5.so
Using standard PAM config seems to work in some cases, but fails most of the time.