cn:ccr:afs:tokenafs
Table of Contents
Token AFS
Per permettere l'acquisizione di un token AFS da macchine che contengono ancora vecchi meccanismi di cifratura è necessario modificare le PAM
EL 7 (CentOS/RedHat/SL/OL/...)
Installare pam_afs_session (si trova in EPEL)
Configurare
- /etc/pam.d/password-auth e
- /etc/pam.d/system-auth
come segue
(...) auth sufficient pam_krb5.so forward_pass auth required pam_afs_session.so (...) (...) session optional pam_krb5.so session required pam_afs_session.so (...)
Infine eseguire
authconfig --update
Modifica krb5.conf
aggiungere nella stanza [appdefaults] di /etc/krb5.conf la seguente definizione:
[appdefaults] # pam-afs-session = { minimum_uid = 1000 debug = false } pam = { debug = false ticket_lifetime = 3600000 renew_lifetime = 3600000 forwardable = true ignore_afs=true }
Rocky/Alma 8/9
DA VERIFICARE
# dnf install epel-release # dnf install https://www.auristor.com/downloads/auristor/linux/redhat/auristor-repo-recommended-8-1.noarch.rpm # dnf install yfs-pam yfs-client krb5-workstation sssd # authselect create-profile -b sssd sssd_afs
# diff -u /usr/share/authselect/default/sssd/password-auth /etc/authselect/custom/sssd_afs/password-auth --- /usr/share/authselect/default/sssd/password-auth 2023-04-21 18:17:52.000000000 +0200 +++ /etc/authselect/custom/sssd_afs/password-auth 2023-10-05 17:36:10.912352032 +0200 @@ -8,6 +8,7 @@ auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so {if not "without-nullok":nullok} auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular +auth optional pam_afs_session.so debug auth sufficient pam_sss.so forward_pass auth required pam_faillock.so authfail {include if "with-faillock"} auth optional pam_gnome_keyring.so auto_start {include if "with-pam-gnome-keyring"} @@ -35,4 +36,5 @@ session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so +session required pam_afs_session.so debug session optional pam_gnome_keyring.so auto_start {include if "with-pam-gnome-keyring"}
# diff -u /usr/share/authselect/default/sssd/system-auth /etc/authselect/custom/sssd_afs/system-auth --- /usr/share/authselect/default/sssd/system-auth 2023-04-21 18:17:52.000000000 +0200 +++ /etc/authselect/custom/sssd_afs/system-auth 2023-10-05 17:36:11.367356849 +0200 @@ -15,6 +15,7 @@ auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular {include if "with-gssapi"} auth sufficient pam_sss_gss.so {include if "with-gssapi"} auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular +auth optional pam_afs_session.so debug auth sufficient pam_sss.so forward_pass auth required pam_faillock.so authfail {include if "with-faillock"} auth optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"} @@ -42,4 +43,5 @@ session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so +session required pam_afs_session.so debug session optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"}
# authselect select custom/sssd_afs # authselect apply-changes
# cat /etc/yfs/yfs-client.conf.d/infn.conf [defaults] thiscell = infn.it
cn/ccr/afs/tokenafs.txt · Last modified: 2024/04/18 11:06 by monducci@infn.it