[OpenAFS] How to replace pam_krb5 on RHEL 8 systems

Dave Botsch botsch@cnf.cornell.edu
Mon, 11 Jul 2022 09:53:19 -0400


In our case, we use multiple kerberos domains to authenticate users. 

So in pam.d/password-auth...

auth        sufficient                                   pam_sss.so
forward_pass


then lets sssd take care of figuring out via an ldap lookup, which
kerberos domain to authenticate the user against.

(of course, authenticating with kerberos tickets instead of passwords is
a tad more complicated with ssshd doing stuff, too).

nsswitch is also involved for lines like:

account     sufficient pam_succeed_if.so user ingroup users

(where the group users is populated by sssd via ldap lookup into AD)

Thanks.

On Mon, Jul 11, 2022 at 09:43:48AM -0400, Ken Hornstein wrote:
> >I wanted to mention that we are successfully doing ssh and gnome-shell
> >logins with pam_sssd where sssd takes care of authN via kerberos and via
> >ldap provides group information, and pam_afs_session to get afs tokens.
> 
> I guess _this_ is the part I'm confused about; why is pam_sss in there?
> I know that other people do this so I'm sure there's a reason, but we
> never found it necessary.  We do use sssd, but only via nsswitch;
> we control per-host access with ldap-based netgroups.
> 
> --Ken

-- 
********************************
David William Botsch
Programmer/Analyst
@CornellCNF
botsch@cnf.cornell.edu
********************************