[OpenAFS] AFS Authentication with PAM
Mitch Collinsworth
mitch@ccmr.cornell.edu
Thu, 5 Jul 2001 10:48:42 -0400 (EDT)
On Thu, 5 Jul 2001, Brandon S. Allbery KF8NH wrote:
> Presumably you also need to change the name service switch to get
> information that isn't maintained by Kerberos (such as the user's home
> directory and shell) from a distributed database. You will need to run
> something like LDAP or NIS for this. Take a look at /etc/nsswitch.conf.
NIS is partially broken, at least in Redhat 6.2. Near as I've been
able to tell it fails to consult /etc/passwd for allowed and disallowed
users. Any user that exists in the NIS passwd database is allowed to
login. This even if no + entry exists that includes them, and even if
an explicit - entry exists that disallows them.
I'm very interested in hearing if anyone has found a solution for this,
or if it's been fixed in a newer version. Right now we're figuring the
solution is to get rid of NIS...
-Mitch