[OpenAFS] How to replace pam_krb5 on RHEL 8 systems

[Benjamin Kaduk]

On Wed, Jun 29, 2022 at 04:02:17PM +0200, Berthold Cogel wrote:
> Hello,
> 
> we're trying to prepare our environment for the migration to RHEL 8.
> 
> At the moment, with RHEL 7 we still have our user homes in AFS and use 
> pam_krb5 to get a token at login. In the long term we will migrate our 
> homes to NFS4 (by administrative order...), but at the moment we're not 
> ready to walk this way.
> 
> The problem is, that Red Hat is forcing the usage of sssd and has 
> deprecated pam_krb5. But sssd doesn't support the AFS features of 
> pam_krb5. And for some reasons related to past experience we're not very 
> fond of using sssd and we're looking for alternatives. But on the other 
> hand, we don't have the resources to provide our own pam_krb5 package.
> 
> So any enlightenment on how to handle this problem will be appreciated.

Are you aware of pam_afs_session (https://github.com/rra/pam-afs-session)?
Without knowing more about what you're using pam_krb5 for it's hard to make
specific suggestions about what alternatives might exist.

-Ben