[OpenAFS-devel] PAM auth multiple domains.

Charles Clancy security@xauth.net
Sat, 2 Nov 2002 22:09:47 -0600 (CST)


> I was trying to auth netatalk against pam_afs with multiple domains.
> When i use the cell option it authorizes me but doesn't give me the
> correct token (??) IE the login authorization stuff was horked and I didnt
> have a token for the cell that I was trying to log in to. I THINK it was
> trying to use the token for the wrong domain..

What version of OpenAFS are you using?  The 1.2.7 release seems to have my
man pages which include the documentation for the cell option, but not my
patches implementing the option.

> I am assuming this is a misconfiguration so here is my pam file.
>
> #%PAM-1.0
> auth       required	pam_afs.so cell msu.edu
> account    required	pam_unix.so
> #password   required	pam_cracklib.so
> #password   required	pam_unix.so use_authtok
> session    required	pam_unix.so

Well, for this configuration, you might as well just put msu.edu in your
ThisCell file.  It looks like it should work, though.

Could you try it out on something that gives you a shell, and double check
the output of your tokens command?

[ t charles clancy ]--[ tclancy@uiuc.edu ]--[ www.uiuc.edu/~tclancy ]