I wanted to mention that we are successfully doing ssh and gnome-shell logins with pam_sssd where sssd takes care of authN via kerberos and via ldap provides group information, and pam_afs_session to get afs tokens.
Two difficulties... if using PAGSHs, not all processes run inside a pagsh, which can break gnome-shell stuff. So not using PAGsh is recommended. and with systemd_login, it and subprocesses don't necessarily quit on logout. Which means they are sitting there banging away against afs with no tokens (if you use afs homedirs). There is an option to force systemd_login to quit at logout, though this breaks the use of things like screen and tmux, iirc. I'm happy to provide our configs (we worked with RedHat support to get sssd working properly migrating from nslcd and pam_krb5 on rhel6). thanks On Sat, Jul 09, 2022 at 10:06:06AM -0400, Ken Hornstein wrote: > >Only if you let sssd touch Kerberos. There are any number of reasons not > >to let it do so (no clue if the KRB5 and LDAP problems are fixed in > >later versions, but the EL8 code was written by crazed weasels on > >crack). But I'd use Russ' pam_krb5 instead of one from EL7 > >(https://www.eyrie.org/~eagle/software/pam-krb5/pam-krb5.html), which > >would probably require you use pam_afs_session as suggested (unless I'm > >missing something in the docs, which is very possible). > > I guess this explains why when everyone talks about the Kerberos issues > they have on RHEL systems, I'm like ¯\_(ツ)_/¯, because we don't let sssd > anywhere near Kerberos and it sounds like that's a bad idea (at least > for the things we want to do). > > --Ken > _______________________________________________ > OpenAFS-info mailing list > OpenAFS-info@openafs.org > https://lists.openafs.org/mailman/listinfo/openafs-info -- ******************************** David William Botsch Programmer/Analyst @CornellCNF bot...@cnf.cornell.edu ******************************** _______________________________________________ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info