While this is true, people who get paid a lot more than I do decided we
shouldn't be pointing authentication to individual machines and instead
use domain lookups, which winbind does nicely. I was able to replicate
the old functionality by pointing the pam stack directly to
dc01.domain.com, but that defeats the purpose of having a decentralized
authentication system. OpenLDAP was decentralized, but we were using a
load balancer that allowed one address to point to multiple machines
(ldap.domain and kerberos.domain); apparently this isn't possible with
ActiveDirectory, we can't have just one IP and host name for all of our
domain controllers.
kinit and aklog still work as they're supposed to, as does pagsh, after
the user is logged in. I'm also able to make GSSAPI play nice, in that
any user who already has kerberos tickets will transfer those tickets
AND get an AFS token on whatever server they log into.
- Ben
On 8/30/12 6:41 PM, Russ Allbery wrote:
Ben Howell <[email protected]> writes:
Is it possible to reproduce the combination of pam_krb5 and
pam_afs_session to create a PAG and generate a ticket and AFS token on
login using winbind's KRB5 mechanism? I think at this point the only
thing I haven't done is write my own module from scratch; I've tried
every pam stack combination I can think of, and the ones that work don't
generate a ticket or token. Is this just a pipe dream, or is it actually
possible, and I'm looking in the wrong place?
I don't know a lot about Winbind, so this may be a naive question, but why
are you using it for authentication instead of just continuing to use
pam_krb5? Active Directory is a perfectly capable Kerberos KDC that
responds to the same protocol as any other Kerberos KDC.
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
