[OpenAFS] How to replace pam_krb5 on RHEL 8 systems
Dave Botsch
botsch@cnf.cornell.edu
Mon, 11 Jul 2022 11:40:12 -0400
We went back to using FILE based caches for use along with PAGs.
Something didn't work right with keyring caches, and I don't recall
what.
I believe our general path was, keyring didn't work, ok, go to file
based. Now get sssd and pam_afs_session working properly and work around
the krb5-1.18 breakage. Did we ever go back to trying keyring again? Not
sure.
Of course, on several systems, we have eliminated the use of PAGs due to
the aforementioned problems with systemd-login and gnome-shell stuff not
working properly with PAGs. So on those, could probably switch back to
keyring credentials.
thanks.
On Mon, Jul 11, 2022 at 11:05:33AM -0400, Ken Hornstein wrote:
> >I think all we had to do, actually, was set appropriate options for
> >GSSAPI in sshd_config ... and make sure it was still using PAM for the
> >account and session pieces.
>
> Right, but do you use both keyring credential caches and PAGs? Those two
> were what made things difficult for us. In my experience if the keyring
> credential cache is owned by root then you can't add new credentials to
> it as a vanilla user (and vice versa).
>
> --Ken
--
********************************
David William Botsch
Programmer/Analyst
@CornellCNF
botsch@cnf.cornell.edu
********************************