[OpenAFS] How to allow local users login if network is down?

Charles Clancy mgrtcc@cs.rose-hulman.edu
Sun, 5 Aug 2001 21:42:29 -0500


Switch the order of your pam modules:

auth sufficient /lib/security/pam_unix.so
auth required /lib/security/pam_pam.so use_first_pass ignore_root

Then it will try local authentication before AFS.  Now, if someone has
both a local and AFS account, it will log them in, but will not get a
token, because it succeeded on pam_unix, and that was "sufficient".

We use this arrangement to allow root logins when the network is down.
_________________________________________
Charles Clancy, mgrtcc@cs.rose-hulman.edu
sysadmin emeritus - RHIT Computer Science 


> -----Original Message-----
> From: openafs-info-admin@openafs.org 
> [mailto:openafs-info-admin@openafs.org] On Behalf Of 
> Paolo.Saggese.Paolo.Saggese@libero.it
> Sent: Friday, August 03, 2001 9:02 AM
> To: openafs-info@openafs.org
> Subject: [OpenAFS] How to allow local users login if network is down?
> 
> 
> Hi everybody,
> 
> 	I have (yet another!) question. I have successfully 
> installed the 
> OpenAFS client on our Mandrake 8.0 Linux boxes (using a 
> "vanilla" 2.4.5 
> Kernel). I have also set-up PAM as suggested, adding the line:
> 
> auth       sufficient   /lib/security/pam_afs.so 
> try_first_pass ignore_root
> 
> before the other "auth" lines to the relevant files in /etc/pam.d/.
> 
> Everything seems to be working just fine, but there's one 
> problem: if the 
> AFS/NIS servers becomes unreachable/unavailable, it become 
> impossible to 
> login to the machines.
> Well, of course this is an obvious and unavoidable behaviour 
> for all those 
> users who have their own accounts served via AFS+NIS... But 
> it is much less 
> obvious for any "local" user who have its own account data 
> stored in the 
> local /etc/passwd file and its home directory in some local 
> filesystem, too.
> 
> I guess there must be a way to allow local users to login 
> even if the AFS/NIS 
> servers are down, but I'm not a PAM expert and don't know how 
> to do it...
> 
> Does anybody has any idea on how to do it?
> 
> Thanks a lot.
> 
> Ciao,
> 				Paolo.
> 
> --
> http://borex.lngs.infn.it/saggese
> You can still escape from the GATES of hell: Use Linux!
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>