[OpenAFS-devel] PAM auth multiple domains.
Sean O'Malley
omalleys@eclipse.cl.msu.edu
Tue, 5 Nov 2002 12:56:03 -0500 (EST)
Ah! It sounds like the patch isn't installed in the OpenAFS
1.2.7 RPMS i used install. (I didnt try very hard but AFS didnt like the
new kernel.) And I didnt feel like screwing with recompiling AFS.
The problem is I was hoping to auth and set a token for two different
domains based on the requested service. For example: Netatalk would auth
and set a token for msu.edu and samba would set a token for test.msu.edu
When I do a klog I need to specify the domain like testuser@coresys in
order to get a token from the other domain. If I just use the standard
klog testuser it won't get the token for the coresys domain, it defaults
to whatever is in ThisCell which in this case is msu.edu domain.
[root@cc-pubafs-14 etc]# klog msuuser
Password:
[root@cc-pubafs-14 etc]# klog testuser
Password:
Unable to authenticate to AFS because user doesn't exist.
[root@cc-pubafs-14 etc]# klog testuser@coresys
Password:
[root@cc-pubafs-14 etc]# tokens
Tokens held by the Cache Manager:
User's (AFS ID 4) tokens for afs@coresys [Expires Nov 6 13:46]
User's (AFS ID 10) tokens for afs@msu.edu [Expires Nov 6 13:46]
--End of list--
[root@cc-pubafs-14 etc]#
Sean
PS I had to dig around on the net to find this. I still havent seen any
man pages. I just saw a reference to it for something related to openafs
1.2.5 and assumed it got added when it didn't choke on the cell option.
On Sat, 2 Nov 2002, Charles Clancy wrote:
> > I was trying to auth netatalk against pam_afs with multiple domains.
> > When i use the cell option it authorizes me but doesn't give me the
> > correct token (??) IE the login authorization stuff was horked and I didnt
> > have a token for the cell that I was trying to log in to. I THINK it was
> > trying to use the token for the wrong domain..
>
> What version of OpenAFS are you using? The 1.2.7 release seems to have my
> man pages which include the documentation for the cell option, but not my
> patches implementing the option.
>
> > I am assuming this is a misconfiguration so here is my pam file.
> >
> > #%PAM-1.0
> > auth required pam_afs.so cell msu.edu
> > account required pam_unix.so
> > #password required pam_cracklib.so
> > #password required pam_unix.so use_authtok
> > session required pam_unix.so
>
> Well, for this configuration, you might as well just put msu.edu in your
> ThisCell file. It looks like it should work, though.
>
> Could you try it out on something that gives you a shell, and double check
> the output of your tokens command?
>
> [ t charles clancy ]--[ tclancy@uiuc.edu ]--[ www.uiuc.edu/~tclancy ]
>
> _______________________________________________
> OpenAFS-devel mailing list
> OpenAFS-devel@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-devel
>