#463 Support/Cache OpenAFS Authentication
Closed: wontfix 3 years ago by pbrezina. Opened 13 years ago by jjneely.

OpenAFS is a distributed network filesystem that uses Kerberos as its authentication. Many educational institutions (and others) use AFS to provide home directories. To log into a machine using OpenAFS you must aquire Kerberos tickets as well as translate those tickets into AFS "tokens" which are used to authenticate you to AFS. (Mostly, special service principals.)

The pam_krb5 module from any version of RHEL/Fedora/whatever supports this. (See its man page to start.)

The OpenAFS folks do provide userland based tools to renew/acquire tokens: http://docs.openafs.org/Reference/1/aklog.html

OpenAFS is begining to support a disconnected mode. Coupling SSSD and OpenAFS's disconnected mode would be quite a cool feature. The last update I saw was from the February newsletter: http://www.openafs.org/pages/newsletter/newsletter-2010-02-volume002-issue02.html#disconnected_afs_support

The best place to look for the "spec" would be the afs5log.c and minikafs.c in the pam_krb5 code.


Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.4.0
priority: major => minor

Fields changed

component: SSSD => Kerberos Provider
owner: somebody => sbose

Fields changed

milestone: SSSD 1.4.0 => SSSD 2.0

Fields changed

cc: => nalin

Fields changed

cc: nalin => nalin, somlo
coverity: =>

Have you looked into Russ Albery's pam-afs-session? I've found that it is better than the AFS support in RedHat's pam_krb5.

upgrade: => 0

Fields changed

cc: nalin, somlo => nalin, somlo, ktdreyer

Fields changed

cc: nalin, somlo, ktdreyer => nalin, somlo, ktdreyer, timj
patch: => 0

I've submitted pam_afs_session into Fedora and EPEL, and I verified that it works well with pam_sss... when actually connected to the network :)

I know this ticket was also for disconnected operation, but I don't think that's fully supported in OpenAFS upstream as of yet.

rhbz: =>

Fields changed

rhbz: => 0

Fields changed

blockedby: =>
blocking: =>
feature_milestone: =>
milestone: SSSD 2.0 => SSSD Deferred
proposed_priority: => Undefined

Metadata Update from @jjneely:
- Issue assigned to sbose
- Issue set to the milestone: SSSD Patches welcome

7 years ago

Thank you for taking time to submit this request for SSSD. Unfortunately this issue was not given priority and the team lacks the capacity to work on it at this time.

Given that we are unable to fulfill this request I am closing the issue as wontfix.

If the issue still persist on recent SSSD you can request re-consideration of this decision by reopening this issue. Please provide additional technical details about its importance to you.

Thank you for understanding.

Metadata Update from @pbrezina:
- Issue close_status updated to: wontfix
- Issue status updated to: Closed (was: Open)

3 years ago

Since SSSD has decided not to fix this issue: folks who end up here may wish to investigate pam_afs_session for this functionality.

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/1505

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata