On 7/8/2022 6:57 AM, Jeffrey E Altman wrote:
Use of the RHEL7 pam_krb5 on a sssd enabled system will do the wrong
thing since its going to step on the toes of sssd's Kerberos ticket
processing.
Only if you let sssd touch Kerberos. There are any number of reasons not
to let it do so (no
Jeffrey E Altman:
> Red Hat's pam_krb5 is not shipped nor supported for RHEL8 (or later).
Ah, OK. As a non-RH user, I wasn't aware they threw it out. Thanks for
clarifying.
> The replacement is sssd which supports Kerberos ticket acquisition but
> not AFS token acquisition. The recommendation
Stephan Wonczak:
> Any advice would be greatly appreciated!
As Benjamin wrote: Try pam_afs_session. Should be added to the "auth"
and "session" blocks of your PAM setup.
https://packages.debian.org/bullseye/libpam-afs-session
https://www.eyrie.org/~eagle/software/pam-afs-session
HTH...
Sounds like the version of pam_krb5 you are attempting to build does not
include support for rxkad-kdf.
https://lists.openafs.org/pipermail/afs3-standardization/2013-July/002738.html
The version of pam_krb5 that supports rxkad-kdf contains a
minikafs_kd_derive() function at minikafs.c line
On 7/7/2022 1:04 PM, Dirk Heinrichs (dirk.heinri...@altum.de) wrote:
Benjamin Kaduk:
Are you aware of pam_afs_session
(https://github.com/rra/pam-afs-session)? Without knowing more about
what you're using pam_krb5 for it's hard to make specific suggestions
about what alternatives might exist.
Hi everyone!
(Berthold's colleague here)
We dug a little deeper and found the part in the pam_krb5-sources where
it fails. It is in the file "minikafs.c" starting in line 775. It looks
like the call to krb5_get_credentials() gets a non-zero return value, thus
making it bail out.
The
Am 08.07.22 um 11:24 schrieb Berthold Cogel:
We're using the pam_krb5 shipped with Red Hat.
I've rebuild the module from the RHEL 7 source rpm on RHEL 8. And it
seems to work for some value of working
Supported enctypes in our kdc:
aes256-cts-hmac-sha1-96:normal des-cbc-crc:normal
Am 07.07.22 um 19:04 schrieb Dirk Heinrichs:
Benjamin Kaduk:
Are you aware of pam_afs_session
(https://github.com/rra/pam-afs-session)? Without knowing more about
what you're using pam_krb5 for it's hard to make specific suggestions
about what alternatives might exist.
BTW: pam_krb5 !=