[OpenAFS] AFS Authentication with PAM
Jeffrey Hutzelman
jhutz@cmu.edu
Fri, 6 Jul 2001 10:09:21 -0400 (EDT)
On Thu, 5 Jul 2001, Mitch Collinsworth wrote:
> > > NIS is partially broken, at least in Redhat 6.2. Near as I've been
> > > able to tell it fails to consult /etc/passwd for allowed and disallowed
> > > users. Any user that exists in the NIS passwd database is allowed to
> > > login. This even if no + entry exists that includes them, and even if
> > > an explicit - entry exists that disallows them.
> >
> > How is your nsswitch.conf set up? I believe you want a line like
> > this:
> >
> > passwd: files compat
> >
> > ...and *not* like this:
> >
> > passwd: files nis
> >
> > The "compat" service is supposed to work like Sun's NIS configuration;
> > that is, it searches /etc/passwd for allow/exclude lines. The "nis"
> > service just consults NIS.
>
> Well... This appears to be exactly the problem. Had I read
> nsswitch.conf(5) I'd have known this. I guess this is the falacy
> of assuming that if it looks just like the same feature on all the
> other OS's I've used over the years then it must work just like
> them, too. :-)
FWIW, you probably actualy want just 'compat' and not 'files compat'.
And you likely want it on the group and shadow lines as well. This is
also covered in nsswitch.conf(5) (which, incidentally, is a totally bogus
place to document the behaviour of specific nss modules).
-- Jeff