[OpenAFS] how to integrate auth with Linux system

Mike Lee mike.li@bamboonetworks.com
Sun, 10 Feb 2002 09:23:17 +0800


Thank you

Charles Clancy wrote:

>>After think a while,
>>I got a solution in my mind:
>>
>><1>set nis passwd source file (before make) as invalid like "*NP*" or
>>"!!", this make user can not login with nis passwd
>>
>
>I really don't know what you mean by "nis passwd source file".  I assume
>you mean you are going to sent the password entries in the nis passwd
>source file to the above suggestions.  That should be fine.
>
I mean that nis maps is base on a passwd file (default is /etc/passwd),
so
<1>I change the makefile to point to another one (for example,
/etc/nis/passwd)
<2>and change the passwd field to "!!" or "*NP*" for each user
BTW: *NP* is a formal string for password disable? or just the md5 can
not get this string?

>><2>setup client PAM to use afs auth
>>
>
>Correct.
>
>><3>map the the user home folder to afs mount point
>>it is right?
>>
>
>You can do that.  Something I've done in the past is to have the
>directory: /afs/cell.domain.net/home
>
>and then make a symlink: ln -s /afs/cell.domain.net/home /home
>
>Users' home directories can then be in the standard place.
>
>>BTW: for cvs user,
>><1>use cvs passwd to auth user,
>>
>You'd probably want a local account (not NIS or AFS) for the CVS user.
>
Yes, and current running cvs system is for part of system user.
and more, it is requirement to check who change the cvs file and have a
different permission for different project.
(in general, the users do not want to have several passwords for many
system)

>><2>make a script to sync the nis passwd source file to cvs passwd file
>>it is right again?
>>
>
>Who do you want to log in to CVS?  Do you want to have a single account
>for everyone to share, or do you want regular AFS users to log in?  If you
>want AFS users to log in, you'll want to double check the status of PAM
>support, or use Kerberos 5 support (if you are running kerberos 5 in your
>cell).
>
it do not officially support PAM, and I found it maybe just read the
/etc/passwd and /etc/shadow file and not support nis auth neither. it
will be a big problem. I guess need to crack it to do that.

>
>--
>t. charles clancy <> tclancy@uiuc.edu <> www.uiuc.edu/~tclancy
>
>
>