[OpenAFS] How to replace pam_krb5 on RHEL 8 systems
Ken Hornstein
kenh@cmf.nrl.navy.mil
Mon, 11 Jul 2022 13:20:31 -0400
>We went back to using FILE based caches for use along with PAGs.
>Something didn't work right with keyring caches, and I don't recall
>what.
Ah-HA. I was wondering about that. I suspect you ran into the base
problem that my PAM stack solves, namely that _in_ the PAM stack you're
running as root and that creates a keyring cache owned by root which
doesn't work after you call setuid().
It's kind of a challenging corner case; you receive forwarded
credentials in a daemon running as root, but then you have to write
them out as the user. How do you do that at the right point in the
daemon process, especially when they assume after setuid() is called
they have all of the normal rights of a user? My solution was designed
so that after you exited the session stack you had all of the Kerberos
and AFS stuff set up properly. I'm open to other ideas! But recall
that for us keyrings are a hard requirement.
--Ken