[OpenAFS] How to replace pam_krb5 on RHEL 8 systems

Ken Hornstein kenh@cmf.nrl.navy.mil
Sat, 09 Jul 2022 10:06:06 -0400

>Only if you let sssd touch Kerberos. There are any number of reasons not 
>to let it do so (no clue if the KRB5 and LDAP problems are fixed in 
>later versions, but the EL8 code was written by crazed weasels on 
>crack). But I'd use Russ' pam_krb5 instead of one from EL7 
>(https://www.eyrie.org/~eagle/software/pam-krb5/pam-krb5.html), which 
>would probably require you use pam_afs_session as suggested (unless I'm 
>missing something in the docs, which is very possible).

I guess this explains why when everyone talks about the Kerberos issues
they have on RHEL systems, I'm like ¯\_(ツ)_/¯, because we don't let sssd
anywhere near Kerberos and it sounds like that's a bad idea (at least
for the things we want to do).