[OpenAFS] How to replace pam_krb5 on RHEL 8 systems

Stephan Wonczak a0033@rrz.uni-koeln.de
Mon, 11 Jul 2022 15:55:18 +0200 (CEST)

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8BIT

   Hi all!
   Jeffrey pointed us in the right direction - and most useful, a reason 
why it failed for us. Kudos to Jeffrey, as always!
   Since we won't touch SSSD with a 10-yard-stick, we gave 
pam_afs_session.so a spin. And lo and behold: It really worked!

   We have the following in our password-auth:

auth        sufficient    pam_krb5.so forward_pass ignore_afs=true
auth        required	  pam_afs_session.so program=/usr/bin/aklog
auth        required	  pam_deny.so

session     optional	  pam_krb5.so ignore_afs=true
session     required	  pam_afs_session.so program=/usr/bin/aklog

   Still needs a bit more testing, but now AFS-Login is working and no sssd 
in sight ;-) Might be useful to others with a similar problem.

   Cheers from Cologne,

On Mon, 11 Jul 2022, Dave Botsch wrote:

> I wanted to mention that we are successfully doing ssh and gnome-shell
> logins with pam_sssd where sssd takes care of authN via kerberos and via
> ldap provides group information, and pam_afs_session to get afs tokens.
> Two difficulties... if using PAGSHs, not all processes run inside a
> pagsh, which can break gnome-shell stuff. So not using PAGsh is
> recommended.
> and with systemd_login, it and subprocesses don't necessarily quit on
> logout. Which means they are sitting there banging away against afs with
> no tokens (if you use afs homedirs). There is an option to force
> systemd_login to quit at logout, though this breaks the use of things
> like screen and tmux, iirc.
> I'm happy to provide our configs (we worked with RedHat support to get
> sssd working properly migrating from nslcd and pam_krb5 on rhel6).
> thanks
> On Sat, Jul 09, 2022 at 10:06:06AM -0400, Ken Hornstein wrote:
>>> Only if you let sssd touch Kerberos. There are any number of reasons not
>>> to let it do so (no clue if the KRB5 and LDAP problems are fixed in
>>> later versions, but the EL8 code was written by crazed weasels on
>>> crack). But I'd use Russ' pam_krb5 instead of one from EL7
>>> (https://www.eyrie.org/~eagle/software/pam-krb5/pam-krb5.html), which
>>> would probably require you use pam_afs_session as suggested (unless I'm
>>> missing something in the docs, which is very possible).
>> I guess this explains why when everyone talks about the Kerberos issues
>> they have on RHEL systems, I'm like ¯\_(ツ)_/¯, because we don't let sssd
>> anywhere near Kerberos and it sounds like that's a bad idea (at least
>> for the things we want to do).
>> --Ken
>> _______________________________________________
>> OpenAFS-info mailing list
>> OpenAFS-info@openafs.org
>> https://lists.openafs.org/mailman/listinfo/openafs-info
> -- 
> ********************************
> David William Botsch
> Programmer/Analyst
> @CornellCNF
> botsch@cnf.cornell.edu
> ********************************
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info

 	Dipl. Chem. Dr. Stephan Wonczak

         Regionales Rechenzentrum der Universitaet zu Koeln (RRZK)
         Universitaet zu Koeln, Weyertal 121, 50931 Koeln
         Tel: +49/(0)221/470-89583, Fax: +49/(0)221/470-89625