[OpenAFS] AFS client over NIS

Hongliang Gai hgai@ecs.syr.edu
Wed, 27 Feb 2002 10:43:51 -0500 (EST)


Hi, All:
I still have problem to use the AFS modified one-step login utility. I
created an AFS usr account, called 'jack', for the existing Linux usr
account,'jack'(which is an NIS account), with Linuix UID mactched with AFS
UID. I configured a client machine(Red Hat 7.0, with Gnome) as AFS client,
added 'jack' entry to its local /etc/passwd and /etc/shadow. Also, I
changed 'jack's passwd field in NIS database(NIS server machine's
/etc/shadow) to be '*NP*' and rebuild the map. When set up AFS client on
this client machine, I modified /etc/pam.d/login service to add entry for pam_afs.so.
Then, 'jack' tried to login through that client machine(Gnome, windows
like screen), and failed. ('jack' can login to AFS by two-step,i.e. klog
after NIS auth in other linux box without AFS client).

1. Do I have to modify other services in  /etc/pam.d/ in order to enable
'jack' to login through gnome?
2. should pam_afs.so be the first auth entry in /etc/pam.d/login?

I got really frustrated. I'm new to AFS and Linux admin. Any help is
great!
 
Thanks in advance,

-Hongliang

On Mon, 18 Feb 2002, Charles Clancy wrote:

> > I'm trying to convert existing Linux users(NIS) to AFS users.
> > Should I disable NIS client on every local machine on which AFS users
> > will login? (suppose NIS server and AFS server are running in same
> > machine)
> > or if NIS client and AFS client can be running in the same local
> > machine,how to set up entries in local /etc/passwd , /etc/shadow and
> > /etc/group files?( here "local" means machines other than AFS and NIS
> > server).
> 
> AFS does not provide /etc/passwd information (home dir, shell, gecos,
> etc).  You still need to either use NIS, or have local /etc/passwd entries
> for this information.  If you want to use NIS, I'd recommend setting the
> password field in the shadow map to "*NP*", so NIS only provides name
> service and not authentication.  See one of the MANY responses to this
> exact question in the mailing list archive.
> 
> --
> t. charles clancy <> tclancy@uiuc.edu <> www.uiuc.edu/~tclancy
>