[OpenAFS] pam_afs_session and winbind
Thu, 30 Aug 2012 18:36:47 -0500
We're moving from OpenLDAP to ActiveDirectory (let's not get into the
ethics here...), so we need all of our non-Windows servers to
authenticate against decentralized domain controllers. I've successfully
implemented winbind as an authentication mechanism, but lost the
"niceness" of having a Kerberos ticket and AFS token ready to go on login.
My search-engine-fu is admittedly weak. Every search string I tried came
up with dozens of entries (most of them archives of the same handful of
mailing lists) talking about Winbind and Kerberos or Kerberos and PAG,
but apparently nobody uses winbind with OpenAFS.
Is it possible to reproduce the combination of pam_krb5 and
pam_afs_session to create a PAG and generate a ticket and AFS token on
login using winbind's KRB5 mechanism? I think at this point the only
thing I haven't done is write my own module from scratch; I've tried
every pam stack combination I can think of, and the ones that work don't
generate a ticket or token. Is this just a pipe dream, or is it actually
possible, and I'm looking in the wrong place?