On 7/7/2022 1:04 PM, Dirk Heinrichs ([email protected]) wrote:
Benjamin Kaduk:Are you aware of pam_afs_session (https://github.com/rra/pam-afs-session)? Without knowing more about what you're using pam_krb5 for it's hard to make specific suggestions about what alternatives might exist.BTW: pam_krb5 != pam_krb5. There are two different modules with the same name out there. The one shipped with RedHat family distributions comes with integrated AFS support, while the one shipped with Debian family distributions doesn't. That's the reason why Debian also ships pam_afs_session and RH does not. Bye... Dirk
Red Hat's pam_krb5 is not shipped nor supported for RHEL8 (or later). The replacement is sssd which supports Kerberos ticket acquisition but not AFS token acquisition. The recommendation for acquiring AFS tokens on sssd enabled systems is to use pam_afs_session
https://github.com/SSSD/sssd/issues/1505 "Support/Cache OpenAFS Authentication"
Use of the RHEL7 pam_krb5 on a sssd enabled system will do the wrong thing since its going to step on the toes of sssd's Kerberos ticket processing.
pam-afs-session is the correct tool to use on RHEL8 and later. The pam-afs-session bundled with AuriStorFS clients is known to acquire tokens in conjunction with sssd. The primary differences between AuriStorFS pam_afs_session and Russ' are code quality improvements and use of external aklog and unlog instead of built-ins.
Jeffrey Altman
smime.p7s
Description: S/MIME Cryptographic Signature
