[OpenAFS] Re: Setup on RHEL8 or AlmaLinux8 sssd for openafs with ldap and
kerberos (spacefrogg-openafs@spacefrogg.net)
Chad W Seys
cwseys@physics.wisc.edu
Tue, 22 Oct 2024 16:38:22 +0000
Hi,=0A=
I don't know about the ldap part, but we have gotten kerberos + AFS worki=
ng in Alma8.=0A=
=0A=
We're getting our AFS packages from CERN:=0A=
[uwhep-cern-afs]=0A=
name=3DCERN AFS packages=0A=
baseurl=3Dhttp://mirror.hep.wisc.edu/stable/el/cern-afs/8.10/$basearch=0A=
enabled=3D1=0A=
gpgcheck=3D0=0A=
priority=3D71=0A=
=0A=
We're installing pam_afs_session openafs, openafs-client, and dkms-openafs.=
(We're compiling our own kernels.)=0A=
=0A=
Next we create a custom authselect profile:=0A=
# authselect create-profile sssd-with-afstokens -b sssd --symlink-meta=0A=
=0A=
Modify password-auth and system-auth in /etc/authselect/custom/sssd-with-af=
stokens=0A=
to include pam_afs_session. Add immediately after the session pam_sss.so li=
ne in both files. You might=0A=
tinker with the options passed to pam_afs_session (always_aklog retain_afte=
r_close debug)=0A=
=0A=
session optional pam_afs_session.so always_aklog retain_after_close de=
bug=0A=
=0A=
Apply the custom config to the 'live' pam config:=0A=
# authselect select custom/sssd-with-afstokens --force=0A=
=0A=
AFAIK this survives (is reapplied) when PAM packages are updated.=0A=
C.=