[OpenAFS] using openafs to authenticate logins on linux systems (Fedora Core 4)
Paul Johnson
pauljohn32@gmail.com
Thu, 19 Jan 2006 23:34:25 -0600
Dear openafs-info members:
Sorry to mail bomb you. I'm the same one who just wrote about slow
klog response. This is a different question altogether.
We have been using an LDAP server to authenticate users in our Linux
lab. Setting that up in /etc/pam.d was a bit tricky. I wondered if
the local AFS server could be used to authenticate users. In the
OpenAFS documentation, it seems to say I still need to use the LDAP
authenication, and then use klog to allow users to access their afs
shares. When the openafs RPM installs, it offers advice to add this
to the PAM stack in order to allow users to get a token at login:
auth sufficient /lib/security/$ISA/pam_afs.so try_first_pass
ignore_root
That is the same as running klog, as far as I understand it. Right?
I find, however, that the AFS server is quite a bit more useful than
expected. It seems it can replace the LDAP server for authentication
service. Below I paste in /etc/pam.d/system-auth where I've commented
out the LDAP elements and added only the one afs line. After
restarting, I find that I CAN log in with my AFS username/password.=20
The system is apparently able to get enough of the other user
information it needs from LDAP. The NSS configuration is still set to
use ldap, and I see in the output of "netstat -a" that 2 connections
are opened to the LDAP server. I believe the system is getting the
user ID and group ID numbers from that server, because when I type
"id", the UID and GID information returned matches the numbers on the
LDAP server.
Anyway, I was confused in looking at the AFS documents and wanted to
follow up about it. I did not have to make any changes to the Display
manager (gdm) besides putting this one little bit in system-auth.=20
Maybe it only works because the user account has been used on this
machine before? I guess I'll have to test.
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_afs.so try_first_pass
ignore_root
# auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so broken_shadow
account sufficient /lib/security/$ISA/pam_localuser.so
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 qu=
iet
#account [default=3Dbad success=3Dok user_unknown=3Dignore]
/lib/security/$ISA/pam_ldap.so
account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3D3
password sufficient /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
# password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_mkhomedir.so
skel=3D/etc/skel/ umask=3D0022
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
# session optional /lib/security/$ISA/pam_ldap.so
--
Paul E. Johnson
Professor, Political Science
1541 Lilac Lane, Room 504
University of Kansas