[OpenAFS] How to replace pam_krb5 on RHEL 8 systems

Dave Botsch botsch@cnf.cornell.edu
Mon, 11 Jul 2022 09:35:17 -0400

I wanted to mention that we are successfully doing ssh and gnome-shell
logins with pam_sssd where sssd takes care of authN via kerberos and via
ldap provides group information, and pam_afs_session to get afs tokens.

Two difficulties... if using PAGSHs, not all processes run inside a
pagsh, which can break gnome-shell stuff. So not using PAGsh is

and with systemd_login, it and subprocesses don't necessarily quit on
logout. Which means they are sitting there banging away against afs with
no tokens (if you use afs homedirs). There is an option to force
systemd_login to quit at logout, though this breaks the use of things
like screen and tmux, iirc.

I'm happy to provide our configs (we worked with RedHat support to get
sssd working properly migrating from nslcd and pam_krb5 on rhel6).


On Sat, Jul 09, 2022 at 10:06:06AM -0400, Ken Hornstein wrote:
> >Only if you let sssd touch Kerberos. There are any number of reasons n=
> >to let it do so (no clue if the KRB5 and LDAP problems are fixed in=20
> >later versions, but the EL8 code was written by crazed weasels on=20
> >crack). But I'd use Russ' pam_krb5 instead of one from EL7=20
> >(https://www.eyrie.org/~eagle/software/pam-krb5/pam-krb5.html), which=20
> >would probably require you use pam_afs_session as suggested (unless I'=
> >missing something in the docs, which is very possible).
> I guess this explains why when everyone talks about the Kerberos issues
> they have on RHEL systems, I'm like =C2=AF\_(=E3=83=84)_/=C2=AF, becaus=
e we don't let sssd
> anywhere near Kerberos and it sounds like that's a bad idea (at least
> for the things we want to do).
> --Ken
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info

David William Botsch