====== Token AFS ======
Per permettere l'acquisizione di un token AFS da macchine che contengono ancora vecchi meccanismi di cifratura รจ necessario modificare le PAM
===== EL 7 (CentOS/RedHat/SL/OL/...) =====
Installare pam_afs_session (si trova in EPEL)
Configurare
* /etc/pam.d/password-auth e
* /etc/pam.d/system-auth
come segue
(...)
auth sufficient pam_krb5.so forward_pass
auth required pam_afs_session.so
(...)
(...)
session optional pam_krb5.so
session required pam_afs_session.so
(...)
Infine eseguire
authconfig --update
==== Modifica krb5.conf ====
aggiungere nella stanza [appdefaults] di /etc/krb5.conf la seguente definizione:
[appdefaults]
#
pam-afs-session = {
minimum_uid = 1000
debug = false
}
pam = {
debug = false
ticket_lifetime = 3600000
renew_lifetime = 3600000
forwardable = true
ignore_afs=true
}
===== Rocky/Alma 8/9 =====
DA VERIFICARE FIXME
# dnf install epel-release
# dnf install https://www.auristor.com/downloads/auristor/linux/redhat/auristor-repo-recommended-8-1.noarch.rpm
# dnf install yfs-pam yfs-client krb5-workstation sssd
# authselect create-profile -b sssd sssd_afs
# diff -u /usr/share/authselect/default/sssd/password-auth /etc/authselect/custom/sssd_afs/password-auth
--- /usr/share/authselect/default/sssd/password-auth 2023-04-21 18:17:52.000000000 +0200
+++ /etc/authselect/custom/sssd_afs/password-auth 2023-10-05 17:36:10.912352032 +0200
@@ -8,6 +8,7 @@
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so {if not "without-nullok":nullok}
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
+auth optional pam_afs_session.so debug
auth sufficient pam_sss.so forward_pass
auth required pam_faillock.so authfail {include if "with-faillock"}
auth optional pam_gnome_keyring.so auto_start {include if "with-pam-gnome-keyring"}
@@ -35,4 +36,5 @@
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
+session required pam_afs_session.so debug
session optional pam_gnome_keyring.so auto_start {include if "with-pam-gnome-keyring"}
# diff -u /usr/share/authselect/default/sssd/system-auth /etc/authselect/custom/sssd_afs/system-auth
--- /usr/share/authselect/default/sssd/system-auth 2023-04-21 18:17:52.000000000 +0200
+++ /etc/authselect/custom/sssd_afs/system-auth 2023-10-05 17:36:11.367356849 +0200
@@ -15,6 +15,7 @@
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular {include if "with-gssapi"}
auth sufficient pam_sss_gss.so {include if "with-gssapi"}
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
+auth optional pam_afs_session.so debug
auth sufficient pam_sss.so forward_pass
auth required pam_faillock.so authfail {include if "with-faillock"}
auth optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"}
@@ -42,4 +43,5 @@
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
+session required pam_afs_session.so debug
session optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"}
# authselect select custom/sssd_afs
# authselect apply-changes
# cat /etc/yfs/yfs-client.conf.d/infn.conf
[defaults]
thiscell = infn.it