No Subject

Jim Barlow Wed, 29 Sep 1999 18:01:22 +0200 (MET DST)
________=22Re=3A_Local_users_get_AFS_prompt_on_HP-UX_11=22_=28Sep_28=2C_11?=
 =?iso-8859-1?Q?=3A01pm=29?=
References: <C8B69BE52E35D311B16B0008C7919F2709F05C@blackbush> 
        <[EMAIL PROTECTED]>
X-Mailer: Z-Mail (3.2.0 06sep94)
To: [EMAIL PROTECTED], =?iso-8859-1?Q?Str=F6mberg_Peter_?= 
 [EMAIL PROTECTED]>
Subject: Re: Local users get AFS prompt on HP-UX 11
Cc: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: multipart/mixed;
        boundary="PART-BOUNDARY=.19909291035.ZM21095.ncsa.uiuc.edu"


--PART-BOUNDARY=.19909291035.ZM21095.ncsa.uiuc.edu
Content-Description: Text
Content-Type: text/plain ; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
X-Zm-Decoding-Hint: mimencode -q -u 

On Sep 28, 11:01pm, Christer  Bern=E9rus wrote:
> Subject: Re: Local users get AFS prompt on HP-UX 11
>
>
> I guess you'll have to check out the ordering in /etc/pam.conf or whate=
ver
that file is named
> under HP-UX.
> You probably want to user the use_first_pass or try_first_pass options.=

>
> Here is a snippet of what we use on Solaris:
>
> # PAM configuration
> #
> # Authentication management
> #
> login   auth required   /usr/lib/security/pam_unix.so.1
> login   auth required   /usr/lib/security/pam_dial_auth.so.1
> login   auth optional   /usr/lib/security/pam_afs.so.1  use_first_pass
> #
> #

I believe in the above configuration each user will be "required" to have=

a local unix password, and it will have to match their AFS password,
otherwise it will prompt them again.  We have the following configuration=

on our Solairs boxes:

#
# Authentication management
#
login   auth sufficient /usr/lib/security/pam_unix.so.1
login   auth optional   /usr/lib/security/pam_krb5.so.1 try_first_pass
login   auth optional   /usr/lib/security/pam_afs.so.1 try_first_pass
#
dtlogin auth sufficient /usr/lib/security/pam_unix.so.1
dtlogin auth optional   /usr/lib/security/pam_krb5.so.1 try_first_pass
dtlogin   auth optional /usr/lib/security/pam_afs.so.1 try_first_pass
#

It will try local UNIX passwords first, which if they have one it will
log them in and bypass any KRB5 and AFS authentication (root is the only
user with a local password on most of our machines).  Otherwise it will
try both krb5 and afs authentication with the first password.

I included the dtlogin lines as well in case you are using CDE.


-- =

James J. Barlow   <[EMAIL PROTECTED]>
Senior System Engineer
National Center for Supercomputing Applications
605 East Springfield Avenue                        Voice : (217)244-6403
Champaign, IL 61820                                 Cell : (217)840-0601
http://www.ncsa.uiuc.edu/People/jbarlow              Fax : (217)244-1987

--PART-BOUNDARY=.19909291035.ZM21095.ncsa.uiuc.edu--
No Subject

Reply via email to
