[OpenAFS] How to replace pam_krb5 on RHEL 8 systems

Carson Gaspar carson@taltos.org
Fri, 8 Jul 2022 17:31:14 -0700

On 7/8/2022 6:57 AM, Jeffrey E Altman wrote:
> Use of the RHEL7 pam_krb5 on a sssd enabled system will do the wrong 
> thing since its going to step on the toes of sssd's Kerberos ticket 
> processing.

Only if you let sssd touch Kerberos. There are any number of reasons not 
to let it do so (no clue if the KRB5 and LDAP problems are fixed in 
later versions, but the EL8 code was written by crazed weasels on 
crack). But I'd use Russ' pam_krb5 instead of one from EL7 
(https://www.eyrie.org/~eagle/software/pam-krb5/pam-krb5.html), which 
would probably require you use pam_afs_session as suggested (unless I'm 
missing something in the docs, which is very possible).