[OpenAFS] pam_afs_session and winbind

Ben Howell howellbp@gmail.com
Thu, 30 Aug 2012 18:36:47 -0500

We're moving from OpenLDAP to ActiveDirectory (let's not get into the 
ethics here...), so we need all of our non-Windows servers to 
authenticate against decentralized domain controllers. I've successfully 
implemented winbind as an authentication mechanism, but lost the 
"niceness" of having a Kerberos ticket and AFS token ready to go on login.

My search-engine-fu is admittedly weak. Every search string I tried came 
up with dozens of entries (most of them archives of the same handful of 
mailing lists) talking about Winbind and Kerberos or Kerberos and PAG, 
but apparently nobody uses winbind with OpenAFS.

Is it possible to reproduce the combination of pam_krb5 and 
pam_afs_session to create a PAG and generate a ticket and AFS token on 
login using winbind's KRB5 mechanism? I think at this point the only 
thing I haven't done is write my own module from scratch; I've tried 
every pam stack combination I can think of, and the ones that work don't 
generate a ticket or token. Is this just a pipe dream, or is it actually 
possible, and I'm looking in the wrong place?

  - Ben