[OpenAFS-devel] PAM auth multiple domains.

Sean O'Malley omalleys@eclipse.cl.msu.edu
Tue, 5 Nov 2002 12:56:03 -0500 (EST) 

Ah! It sounds like the patch isn't installed in the OpenAFS
1.2.7 RPMS i used install. (I didnt try very hard but AFS didnt like the
new kernel.) And I didnt feel like screwing with recompiling AFS. 

The problem is I was hoping to auth and set a token for two different
domains based on the requested service. For example: Netatalk would auth
and set a token for msu.edu and samba would set a token for test.msu.edu 

When I do a klog I need to specify the domain like testuser@coresys in
order to get a token from the other domain. If I just use the standard
klog testuser it won't get the token for the coresys domain, it defaults
to whatever is in ThisCell which in this case is msu.edu domain.

[root@cc-pubafs-14 etc]# klog msuuser
Password:
[root@cc-pubafs-14 etc]# klog testuser
Password:
Unable to authenticate to AFS because user doesn't exist.
[root@cc-pubafs-14 etc]# klog testuser@coresys
Password:
[root@cc-pubafs-14 etc]# tokens

Tokens held by the Cache Manager:

User's (AFS ID 4) tokens for afs@coresys [Expires Nov  6 13:46]
User's (AFS ID 10) tokens for afs@msu.edu [Expires Nov  6 13:46]
   --End of list--
[root@cc-pubafs-14 etc]# 


Sean 

PS I had to dig around on the net to find this. I still havent seen any
man pages. I just saw a reference to it for something related to openafs
1.2.5 and assumed it got added when it didn't choke on the cell option. 


 On Sat, 2 Nov 2002, Charles Clancy wrote:

> > I was trying to auth netatalk against pam_afs with multiple domains.
> > When i use the cell option it authorizes me but doesn't give me the
> > correct token (??) IE the login authorization stuff was horked and I didnt
> > have a token for the cell that I was trying to log in to. I THINK it was
> > trying to use the token for the wrong domain..
> 
> What version of OpenAFS are you using?  The 1.2.7 release seems to have my
> man pages which include the documentation for the cell option, but not my
> patches implementing the option.
> 
> > I am assuming this is a misconfiguration so here is my pam file.
> >
> > #%PAM-1.0
> > auth       required	pam_afs.so cell msu.edu
> > account    required	pam_unix.so
> > #password   required	pam_cracklib.so
> > #password   required	pam_unix.so use_authtok
> > session    required	pam_unix.so
> 
> Well, for this configuration, you might as well just put msu.edu in your
> ThisCell file.  It looks like it should work, though.
> 
> Could you try it out on something that gives you a shell, and double check
> the output of your tokens command?
> 
> [ t charles clancy ]--[ tclancy@uiuc.edu ]--[ www.uiuc.edu/~tclancy ]
> 
> _______________________________________________
> OpenAFS-devel mailing list
> OpenAFS-devel@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-devel
>