[OpenAFS] AFS Authentication with PAM

Brandon S. Allbery KF8NH allbery@ece.cmu.edu
Thu, 05 Jul 2001 09:31:24 -0400

On Thursday, July 05, 2001 09:03:33 -0300, ulisses@radix.com wrote:
| We are trying to use pam_afs in order to test some [possible] glitches
| before moving into a completely distributed authentication system such
| as Kerberos or LDAP. We are, however, having some problems regarding
| user management and pam_afs -- a user cannot login unless an entry for
| him exists in the local pwdb (either shadow, plain passwd or something
| equivalent). This breaks the transparency of a fully distributed
| authentication system, as we have to create every single user in every
| single machine, and AFS seems to be used only when checking passwords.
| Is this a known PAM/Linux glitch? What is the workaround for this?

Presumably you also need to change the name service switch to get 
information that isn't maintained by Kerberos (such as the user's home 
directory and shell) from a distributed database.  You will need to run 
something like LDAP or NIS for this.  Take a look at /etc/nsswitch.conf.

brandon s. allbery    [os/2][linux][solaris][japh]   allbery@kf8nh.apk.net
system administrator       [WAY too many hats]         allbery@ece.cmu.edu
electrical and computer engineering                                  KF8NH
carnegie mellon university    ["better check the oblivious first" -ke6sls]