[OpenAFS] How to replace pam_krb5 on RHEL 8 systems

[Ken Hornstein]

>I wanted to mention that we are successfully doing ssh and gnome-shell
>logins with pam_sssd where sssd takes care of authN via kerberos and via
>ldap provides group information, and pam_afs_session to get afs tokens.

I guess _this_ is the part I'm confused about; why is pam_sss in there?
I know that other people do this so I'm sure there's a reason, but we
never found it necessary.  We do use sssd, but only via nsswitch;
we control per-host access with ldap-based netgroups.

--Ken