Hi all!
Jeffrey pointed us in the right direction - and most useful, a reason
why it failed for us. Kudos to Jeffrey, as always!
Since we won't touch SSSD with a 10-yard-stick, we gave
pam_afs_session.so a spin. And lo and behold: It really worked!
We have the following in our password-auth:
(...)
auth sufficient pam_krb5.so forward_pass ignore_afs=true
auth required pam_afs_session.so program=/usr/bin/aklog
auth required pam_deny.so
(...)
session optional pam_krb5.so ignore_afs=true
session required pam_afs_session.so program=/usr/bin/aklog
Still needs a bit more testing, but now AFS-Login is working and no sssd
in sight ;-) Might be useful to others with a similar problem.
Cheers from Cologne,
Stephan
On Mon, 11 Jul 2022, Dave Botsch wrote:
I wanted to mention that we are successfully doing ssh and gnome-shell
logins with pam_sssd where sssd takes care of authN via kerberos and via
ldap provides group information, and pam_afs_session to get afs tokens.
Two difficulties... if using PAGSHs, not all processes run inside a
pagsh, which can break gnome-shell stuff. So not using PAGsh is
recommended.
and with systemd_login, it and subprocesses don't necessarily quit on
logout. Which means they are sitting there banging away against afs with
no tokens (if you use afs homedirs). There is an option to force
systemd_login to quit at logout, though this breaks the use of things
like screen and tmux, iirc.
I'm happy to provide our configs (we worked with RedHat support to get
sssd working properly migrating from nslcd and pam_krb5 on rhel6).
thanks
On Sat, Jul 09, 2022 at 10:06:06AM -0400, Ken Hornstein wrote:
Only if you let sssd touch Kerberos. There are any number of reasons not
to let it do so (no clue if the KRB5 and LDAP problems are fixed in
later versions, but the EL8 code was written by crazed weasels on
crack). But I'd use Russ' pam_krb5 instead of one from EL7
(https://www.eyrie.org/~eagle/software/pam-krb5/pam-krb5.html), which
would probably require you use pam_afs_session as suggested (unless I'm
missing something in the docs, which is very possible).
I guess this explains why when everyone talks about the Kerberos issues
they have on RHEL systems, I'm like ¯\_(ツ)_/¯, because we don't let sssd
anywhere near Kerberos and it sounds like that's a bad idea (at least
for the things we want to do).
--Ken
_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info
--
********************************
David William Botsch
Programmer/Analyst
@CornellCNF
bot...@cnf.cornell.edu
********************************
_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info
Dipl. Chem. Dr. Stephan Wonczak
Regionales Rechenzentrum der Universitaet zu Koeln (RRZK)
Universitaet zu Koeln, Weyertal 121, 50931 Koeln
Tel: +49/(0)221/470-89583, Fax: +49/(0)221/470-89625
