Dear openafs-info members: Sorry to mail bomb you. I'm the same one who just wrote about slow klog response. This is a different question altogether.
We have been using an LDAP server to authenticate users in our Linux lab. Setting that up in /etc/pam.d was a bit tricky. I wondered if the local AFS server could be used to authenticate users. In the OpenAFS documentation, it seems to say I still need to use the LDAP authenication, and then use klog to allow users to access their afs shares. When the openafs RPM installs, it offers advice to add this to the PAM stack in order to allow users to get a token at login: auth sufficient /lib/security/$ISA/pam_afs.so try_first_pass ignore_root That is the same as running klog, as far as I understand it. Right? I find, however, that the AFS server is quite a bit more useful than expected. It seems it can replace the LDAP server for authentication service. Below I paste in /etc/pam.d/system-auth where I've commented out the LDAP elements and added only the one afs line. After restarting, I find that I CAN log in with my AFS username/password. The system is apparently able to get enough of the other user information it needs from LDAP. The NSS configuration is still set to use ldap, and I see in the output of "netstat -a" that 2 connections are opened to the LDAP server. I believe the system is getting the user ID and group ID numbers from that server, because when I type "id", the UID and GID information returned matches the numbers on the LDAP server. Anyway, I was confused in looking at the AFS documents and wanted to follow up about it. I did not have to make any changes to the Display manager (gdm) besides putting this one little bit in system-auth. Maybe it only works because the user account has been used on this machine before? I guess I'll have to test. #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_afs.so try_first_pass ignore_root # auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so broken_shadow account sufficient /lib/security/$ISA/pam_localuser.so account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet #account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_ldap.so account required /lib/security/$ISA/pam_permit.so password requisite /lib/security/$ISA/pam_cracklib.so retry=3 password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow # password sufficient /lib/security/$ISA/pam_ldap.so use_authtok password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_mkhomedir.so skel=/etc/skel/ umask=0022 session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so # session optional /lib/security/$ISA/pam_ldap.so -- Paul E. Johnson Professor, Political Science 1541 Lilac Lane, Room 504 University of Kansas _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
