[OpenAFS] Can OpenAFS be the only authenticating "entity"
Brandon S. Allbery KF8NH
allbery@ece.cmu.edu
Wed, 1 Feb 2006 00:01:27 -0500
On Feb 1, 2006, at 5:41 , Leroy Tennison wrote:
> I know about integrated login but is it possible to create a Linux
> and/or Windows configuration where OpenAFS is the only
> "authenticator" meaning that there is no need for IDs/passwords in
> local files or another authentication service like NIS, LDAP,
> Samba, AD, etc? If so, can you point me to information on how to
> do it? Maybe I'm just not thinking clearly but nothing is coming
> to mind. Thanks for any input.
Not really.
1. For Windows to get all the extra permissions it hides in its
Kerberos 5 tickets, you need to use AD (or possibly recent Samba).
2. AFS can provide passwords via some form of Kerberos, and in theory
you could get user IDs via an nsswitch module that queried pts; but
there's no way to get home directories, Unix groups (which are very
different from AFS groups), shells, etc.
3. Unless all your Unix systems are completely homogeneous (i.e. not
even different releases of the same vendor's OS), you'll find that
every system has different uids and gids for system accounts and you
can't safely change them around to fit pts's ideas.
3a. AFS admin (almost always pts id 1) would be a very bad thing to
map to Unix uid 1.
4. If you ever need to work on a Unix machine in single-user mode
without network, you will need local accounts for at minimum root and
the system accounts.
I think the best you could do right now is using AD for Kerberos+LDAP
with a Unix schema added; but pts needs to remain separate, although
I think someone may be poking at LDAP-backed pts.
--
brandon s. allbery [linux,solaris,freebsd,perl]
allbery@kf8nh.com
system administrator [openafs,heimdal,too many hats]
allbery@ece.cmu.edu
electrical and computer engineering, carnegie mellon university
KF8NH