On 1/31/06, John Lockard <[EMAIL PROTECTED]> wrote: > When they log in on the Linux box, what are you using to know > what the user's home directory is (LDAP, /etc/passwd file, etc.)? > That should be your basis. > > -John
Actually, your question leads me to confess some idiocy in our setup. On campus, there are too many competing factions on the campus who endorse Novell, Windows-AD, AFS, etc. As it currently stands, I've set it so Linux users are authenticated by the AFS system itself, but the information about where to find home is just in the Linux system configuration. That is, $HOME is always /home/$USER. AFS can authenticate users, but the system uses nsswitch to find user info in a separate LDAP server (which I do not control), and so if the user does not have a name in LDAP, then the login is rejected. Even if the user never gives a valid LDAP password, and just uses the AFS password, the login will work, as long as LDAP has that name in there. I don't understand why the LDAP server is giving the information the system wants without a password. Maybe the admins here would call it a security hole. If user does not put in a valid AFS password, then the password is checked against LDAP. It works, anyway. Here's what I have for PAM system-auth. auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_afs.so use_first_pass ignore_root auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so broken_shadow account sufficient /lib/security/$ISA/pam_localuser.so account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_ldap.so account required /lib/security/$ISA/pam_permit.so password requisite /lib/security/$ISA/pam_cracklib.so retry=3 password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security/$ISA/pam_ldap.so use_authtok password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_mkhomedir.so skel=/etc/skel/ umask=0022 session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so session optional /lib/security/$ISA/pam_ldap.so -- Paul E. Johnson Professor, Political Science 1541 Lilac Lane, Room 504 University of Kansas _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
