[OpenAFS-devel] AFS-NSS-Module?

Todd Lewis Todd_Lewis@unc.edu
Sat, 30 Oct 2004 12:22:32 -0400


If you're determined to put an nss interface onto the ptserver, you might start 
by looking at http://tarna.oit.unc.edu/~utoddl/ and grabbing nss_pts_0.2.tgz. 
It only implements getpwuid(), but you could add other relevant getXXX() 
functions if you want them. It works on Linux and Solaris. Don't know about 
other platforms.

You might also want to consider another approach. While you're there, grab 
propup.tar.gz. Propup is a pam module that you can put first in your pam stack. 
It always returns true, but has the side effect of checking to see if the user 
who's trying to log in is already in the /etc/passwd file. If not, it checks 
for the existence of that user in a file in AFS. (We keep a file that looks 
very like an /etc/passwd file in our cell that has everybody in it. That file 
is called [...]/prop/users, hence the name of the module. Obviously you could 
change it to look directly at, say, ptserver, maybe using code from 
nss_pts_0.2, if you didn't want to maintain such a file.) If the user is there 
but not in /etc/passwd, it adds their info to the local /etc/passwd file, then 
runs pwconv. In any case, it returns true to the pam stack. This way your users 
get automatically added to your system as they try to login the first time.

These are both quick and dirty hacks, but they work well for me. By all means, 
feel free to enhance and/or repair them to your heart's content.

Happy computing,

TOBx@gmx.de wrote:
> Hi *,
> does anyone know a nss-module for AFS or something like that?
> I've a couple of AFS-machines in one cell and want to be able to log on to
> the system using the AFS-accounts.
> This works fine with the pam_afs module as long as the afs-user exists in my
> local /etc/passwd.
> What I'm searching for is something with the functionality of an nss-module,
> that creates (maybe on a 
> template-basis) the missing information for the login-process on the fly.
> Example:
> What AFS can deliver (through pam_afs):			Username:Passwort
> What is missing (in comparision to the
> /etc/passwd):	uid:gid:gecos:home_dir:shell
> The missing information may either be exported from afs by asking the
> ptserver (e.g. the uid) or by
> generating them.
> The home-dir can be generated from a configuratable prefix (e.g.
> /afs/CELLNAME/home/) and the afs-username.
> The gecos is not really important.
> And the shell can also be set by in template (e.g. /bin/sh).
> The reason is that I want to be able to add a user to the afs on one host
> and then log on at any of the hosts
> without syncing anything and without an additional user-list like LDAP.
> By now I haven't found something like this. So for the case that you don't
> know such a thing, too I'm playing with 
> the idea to write a nss_afs-module. Would anyone of you be able to help me
> with it (Reviewing code and so on...) ?
> Greets
> 	Tobias