[OpenAFS] AFS without local authentication

Ray Link rlink+@pitt.edu
Thu, 29 Nov 2001 12:10:25 -0500 (EST)


On Wed, 28 Nov 2001 mateus.santos@embraer.com.br wrote:

> Is it possible to make the AFS users log in a client local machine without
> having an entry in the /etc/passwd (just have an entry in the AFS Space, at
> the server)?
> The Documentation tells that I have to create an entry in the AFS and other
> entry in the /etc/passwd local machine. I just want to administrate my
> users from the server.

You still need the /etc/passwd entry.  AFS/Krb authentication has no
way of storing other important user information, such as home directory
and default shell, let alone less-important ones like the GECOS field.

A workable but slightly complex solution would be to keep a copy of the
passwd and shadow files in your AFS space, and have a script that
munges it together with a local mini-passwd file (containing entries
for root and the like) on each machine.  This script could be run from
root's crontab on each machine on a regular basis.

With this solution, however, you have to concern yourself with several
things.  For starters, you have to worry about access to the
passwd/shadow files in AFS (less of a concern than usual, because there
are no encrypted passwords in the shadow file.)  You do, however, end
up giving out the usernames of every user on your network.  It is also
no trivial task to implement this system in a production environment if
failsafe operation is to be assured.

==== Ray Link === University of Pittsburgh CSSD === rlink@pitt.edu ====

A bad random number generator:  1, 1, 1, 1, 1, 4.33e+67, 1, 1, 1