[OpenAFS] How to replace pam_krb5 on RHEL 8 systems

Berthold Cogel cogel@uni-koeln.de
Fri, 8 Jul 2022 11:24:59 +0200

Am 07.07.22 um 19:04 schrieb Dirk Heinrichs:
> Benjamin Kaduk:
>> Are you aware of pam_afs_session
>> (https://github.com/rra/pam-afs-session)? Without knowing more about
>> what you're using pam_krb5 for it's hard to make specific suggestions
>> about what alternatives might exist.
> BTW: pam_krb5 != pam_krb5. There are two different modules with the same
> name out there. The one shipped with RedHat family distributions comes
> with integrated AFS support, while the one shipped with Debian family
> distributions doesn't. That's the reason why Debian also ships
> pam_afs_session and RH does not.
> Bye...
>      Dirk

We're using the pam_krb5 shipped with Red Hat.

I've rebuild the module from the RHEL 7 source rpm on RHEL 8. And it 
seems to work.... for some value of working....

Supported enctypes in our kdc:
aes256-cts-hmac-sha1-96:normal des-cbc-crc:normal des:afs3

We 'rekeyed' our AFS environment with aes256-cts-hmac-sha1-96:normal to 
get connections from newer Ubuntu/Debian and Fedora 35 working.

We get a krb5 ticket and a login, but getting the AFS token gives errors:

"error obtaining credentials for 'afs/rrz.uni-koeln.de@RRZ.UNI-KOELN.DE' 
(enctype=1) on behalf of ....: No credentials found with supported 
encryption types"

Same for two other enctypes.

So something else changed in RHEL 8, which we haven't found yet.