[OpenAFS] pam_afs_session and winbind

Ben Howell howellbp@gmail.com
Thu, 30 Aug 2012 18:54:32 -0500

While this is true, people who get paid a lot more than I do decided we 
shouldn't be pointing authentication to individual machines and instead 
use domain lookups, which winbind does nicely. I was able to replicate 
the old functionality by pointing the pam stack directly to 
dc01.domain.com, but that defeats the purpose of having a decentralized 
authentication system. OpenLDAP was decentralized, but we were using a 
load balancer that allowed one address to point to multiple machines 
(ldap.domain and kerberos.domain); apparently this isn't possible with 
ActiveDirectory, we can't have just one IP and host name for all of our 
domain controllers.

kinit and aklog still work as they're supposed to, as does pagsh, after 
the user is logged in. I'm also able to make GSSAPI play nice, in that 
any user who already has kerberos tickets will transfer those tickets 
AND get an AFS token on whatever server they log into.

- Ben

On 8/30/12 6:41 PM, Russ Allbery wrote:
> Ben Howell <howellbp@gmail.com> writes:
>> Is it possible to reproduce the combination of pam_krb5 and
>> pam_afs_session to create a PAG and generate a ticket and AFS token on
>> login using winbind's KRB5 mechanism? I think at this point the only
>> thing I haven't done is write my own module from scratch; I've tried
>> every pam stack combination I can think of, and the ones that work don't
>> generate a ticket or token. Is this just a pipe dream, or is it actually
>> possible, and I'm looking in the wrong place?
> I don't know a lot about Winbind, so this may be a naive question, but why
> are you using it for authentication instead of just continuing to use
> pam_krb5?  Active Directory is a perfectly capable Kerberos KDC that
> responds to the same protocol as any other Kerberos KDC.