[OpenAFS] How to replace pam_krb5 on RHEL 8 systems

Dave Botsch botsch@cnf.cornell.edu
Mon, 11 Jul 2022 11:40:12 -0400

We went back to using FILE based caches for use along with PAGs.
Something didn't work right with keyring caches, and I don't recall

I believe our general path was, keyring didn't work, ok, go to file
based. Now get sssd and pam_afs_session working properly and work around
the krb5-1.18 breakage. Did we ever go back to trying keyring again? Not

Of course, on several systems, we have eliminated the use of PAGs due to
the aforementioned problems with systemd-login and gnome-shell stuff not
working properly with PAGs. So on those, could probably switch back to
keyring credentials.


On Mon, Jul 11, 2022 at 11:05:33AM -0400, Ken Hornstein wrote:
> >I think all we had to do, actually, was set appropriate options for
> >GSSAPI in sshd_config ... and make sure it was still using PAM for the
> >account and session pieces.
> Right, but do you use both keyring credential caches and PAGs?  Those two
> were what made things difficult for us.  In my experience if the keyring
> credential cache is owned by root then you can't add new credentials to
> it as a vanilla user (and vice versa).
> --Ken

David William Botsch