Hi All- I've posted a few questions in the last month or so and thanks to those who replied, I'm now up and running with a single AFS server running a SuSE 9 distro with self-built version 1.2.11 of OpenAFS (SuSE 9 ships with 1.2.10) that uses a self-built MIT Kerberos 5, v1.3.1 (SuSE 9 ships with heimdal) system for authentication. Thank you for the help!
While I'll admit to not having read all of the documentation yet, I have read all of the conceptual stuff, the QBG, and portions of the administrator's reference and administrator's guide. Naturally, I'm learning as I go and studying the docs very carefully, but there's one issue that I'd like to ask about because the docs I've read thus far don't mention it: the Linux password shadow suite of programs. I searched the archive for this subject and saw a few mentions of it, but none recently and none in much depth (except in regards to NIS which I'm not using and would prefer avoiding unless it makes alot of sense to use it). As would most people I guess, I'd like to have all AFS user data (stuff found in /etc/passwd (login shell, unix uid, unix gid, Name, home directory), /etc/shadow (password and related data), the kerberos database (principals and their privileges), openafs acls, openafs uid, etc.) be centrally located, universally accessible, and easy to maintain. Based on the docs I've read thus far, I should be making a common /etc/passwd file on AFS and merging it with each client machine's /etc/passwd file whenever a change is made to the AFS /etc/passwd file using cron or something. My question(s) is/are: Is that still the best way to do this? And what about /etc/shadow? Do I need to write a script for shadow that is similar to that found in the docs on merging the AFS /etc/passwd file with each client machine's /etc/passwd file? For my purposes, except for each client machine's root account, I'd like to have all users be authenticated from a single (perhaps replicated) source, and not have any user accounts on each client machine's local authentication source (no local users except root---only Kerberos users for the network). Or even, is there a way to make a "network superuser" that would have root access to all client computers? Or is that a bad idea? What do people do for the root password on each client machine when there are hundreds (or more) client machines? Make them all the same? Keep a database of machines and their root passwords handy? Just curious... I'm sure someone else besides me has encountered this issue. Care to share your ideas on the best way to do this? I guess LDAP is an option, but I haven't done much with that. What are others in similar circumstances doing? Oh, and as a final complication, what about throwing windows machines into the fray? I maintain several Samba PDCs and their associated networks, and that seems to offer a pretty good (though not ideal) model. Is it possible to do something similar with Kerberos and OpenAFS. I know there is a way (with native Windows code) to have the Windows box be a member of a Kerberos Realm and have OS check an MIT Kerberos KDC for login authentication, but it doesn't scale well (requires changing each client machine's list of users with every change in the network user list). Aside from that, am I looking at a definite two-step login process for windows machines authenticating against an MIT kerberos database and accessing OpenAFS volumes? Many thanks for any thoughts. -Kevin _______________________________________________ OpenAFS-info mailing list [EMAIL PROTECTED] https://lists.openafs.org/mailman/listinfo/openafs-info
