[OpenAFS] How to replace pam_krb5 on RHEL 8 systems
Berthold Cogel
cogel@uni-koeln.de
Fri, 8 Jul 2022 11:24:59 +0200
Am 07.07.22 um 19:04 schrieb Dirk Heinrichs:
> Benjamin Kaduk:
>
>> Are you aware of pam_afs_session
>> (https://github.com/rra/pam-afs-session)? Without knowing more about
>> what you're using pam_krb5 for it's hard to make specific suggestions
>> about what alternatives might exist.
>
> BTW: pam_krb5 != pam_krb5. There are two different modules with the same
> name out there. The one shipped with RedHat family distributions comes
> with integrated AFS support, while the one shipped with Debian family
> distributions doesn't. That's the reason why Debian also ships
> pam_afs_session and RH does not.
>
> Bye...
>
> Dirk
>
We're using the pam_krb5 shipped with Red Hat.
I've rebuild the module from the RHEL 7 source rpm on RHEL 8. And it
seems to work.... for some value of working....
Supported enctypes in our kdc:
aes256-cts-hmac-sha1-96:normal des-cbc-crc:normal des:afs3
We 'rekeyed' our AFS environment with aes256-cts-hmac-sha1-96:normal to
get connections from newer Ubuntu/Debian and Fedora 35 working.
We get a krb5 ticket and a login, but getting the AFS token gives errors:
"error obtaining credentials for 'afs/rrz.uni-koeln.de@RRZ.UNI-KOELN.DE'
(enctype=1) on behalf of ....: No credentials found with supported
encryption types"
Same for two other enctypes.
So something else changed in RHEL 8, which we haven't found yet.
Regards
Berthold