[OpenAFS] How to replace pam_krb5 on RHEL 8 systems
Berthold Cogel
cogel@uni-koeln.de
Fri, 8 Jul 2022 11:32:23 +0200
Am 08.07.22 um 11:24 schrieb Berthold Cogel:
> We're using the pam_krb5 shipped with Red Hat.
>
> I've rebuild the module from the RHEL 7 source rpm on RHEL 8. And it
> seems to work.... for some value of working....
>
> Supported enctypes in our kdc:
> aes256-cts-hmac-sha1-96:normal des-cbc-crc:normal des:afs3
>
> We 'rekeyed' our AFS environment with aes256-cts-hmac-sha1-96:normal to
> get connections from newer Ubuntu/Debian and Fedora 35 working.
>
> We get a krb5 ticket and a login, but getting the AFS token gives errors:
>
> "error obtaining credentials for 'afs/rrz.uni-koeln.de@RRZ.UNI-KOELN.DE'
> (enctype=1) on behalf of ....: No credentials found with supported
> encryption types"
>
> Same for two other enctypes.
>
> So something else changed in RHEL 8, which we haven't found yet.
>
I forgot to add, that klog.krb5 is getting a token after login...