We went back to using FILE based caches for use along with PAGs. Something didn't work right with keyring caches, and I don't recall what.
I believe our general path was, keyring didn't work, ok, go to file based. Now get sssd and pam_afs_session working properly and work around the krb5-1.18 breakage. Did we ever go back to trying keyring again? Not sure. Of course, on several systems, we have eliminated the use of PAGs due to the aforementioned problems with systemd-login and gnome-shell stuff not working properly with PAGs. So on those, could probably switch back to keyring credentials. thanks. On Mon, Jul 11, 2022 at 11:05:33AM -0400, Ken Hornstein wrote: > >I think all we had to do, actually, was set appropriate options for > >GSSAPI in sshd_config ... and make sure it was still using PAM for the > >account and session pieces. > > Right, but do you use both keyring credential caches and PAGs? Those two > were what made things difficult for us. In my experience if the keyring > credential cache is owned by root then you can't add new credentials to > it as a vanilla user (and vice versa). > > --Ken -- ******************************** David William Botsch Programmer/Analyst @CornellCNF bot...@cnf.cornell.edu ******************************** _______________________________________________ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info