[OpenAFS] How to replace pam_krb5 on RHEL 8 systems
Ken Hornstein
kenh@cmf.nrl.navy.mil
Sat, 09 Jul 2022 10:06:06 -0400
>Only if you let sssd touch Kerberos. There are any number of reasons not
>to let it do so (no clue if the KRB5 and LDAP problems are fixed in
>later versions, but the EL8 code was written by crazed weasels on
>crack). But I'd use Russ' pam_krb5 instead of one from EL7
>(https://www.eyrie.org/~eagle/software/pam-krb5/pam-krb5.html), which
>would probably require you use pam_afs_session as suggested (unless I'm
>missing something in the docs, which is very possible).
I guess this explains why when everyone talks about the Kerberos issues
they have on RHEL systems, I'm like ¯\_(ツ)_/¯, because we don't let sssd
anywhere near Kerberos and it sounds like that's a bad idea (at least
for the things we want to do).
--Ken