[OpenAFS] How to replace pam_krb5 on RHEL 8 systems

Dave Botsch botsch@cnf.cornell.edu
Mon, 11 Jul 2022 09:53:19 -0400

In our case, we use multiple kerberos domains to authenticate users. 

So in pam.d/password-auth...

auth        sufficient                                   pam_sss.so

then lets sssd take care of figuring out via an ldap lookup, which
kerberos domain to authenticate the user against.

(of course, authenticating with kerberos tickets instead of passwords is
a tad more complicated with ssshd doing stuff, too).

nsswitch is also involved for lines like:

account     sufficient pam_succeed_if.so user ingroup users

(where the group users is populated by sssd via ldap lookup into AD)


On Mon, Jul 11, 2022 at 09:43:48AM -0400, Ken Hornstein wrote:
> >I wanted to mention that we are successfully doing ssh and gnome-shell
> >logins with pam_sssd where sssd takes care of authN via kerberos and via
> >ldap provides group information, and pam_afs_session to get afs tokens.
> I guess _this_ is the part I'm confused about; why is pam_sss in there?
> I know that other people do this so I'm sure there's a reason, but we
> never found it necessary.  We do use sssd, but only via nsswitch;
> we control per-host access with ldap-based netgroups.
> --Ken

David William Botsch