[OpenAFS] Need help getting OpenAFS integrated login working on Linux RedHat 7.3

Stan Gowen sgowen@us.ibm.com
Wed, 29 May 2002 16:58:49 -0500 

I am very new to Linux.  Just installed my first linux O/S (RedHat 7.3) on
my laptop yesterday.  I have been using IBM's AIX for 10+ years.

My goal is to access my home development directory on an AFS server at IBM
Austin.

I heard about OpenAFS and was pleased to find that there were binaries
available for RedHat 7.3.

I installed the following rpm's:

openafs-1.2.4-rh7.3.2.i386.rpm
openafs-client-1.2.4-rh7.3.2.i386.rpm
openafs-kernel-1.2.4-rh7.3.2.i386.rpm
openafs-kpasswd-1.2.4-rh7.3.2.i386.rpm

I followed the detailed instructions located at:

http://www.openafs.org/pages/doc/QuickStartUnix/auqbg007.htm#HDRWQ143
(Enabling AFS Login on Linux Systems)

I noticed that the package installed:

/lib/security/pam_afs.so.1
/lib/security/pam_afs.krb.so.1

I think I convinced myself that we don't use Kerberos AFS authentication in
our cell by looking at the authentication program used on my AIX system.

So, I created the following link:

ln -s /lib/security/pam_afs.so.1 /lib/security/pam_afs.so

The PAM configuration files I encountered on RedHat 7.3 were different
enough from the examples in this documentation that I am unsure as to
whether or not I edited them correctly.  My versions are included below.

My questions are:

1) Did I put the "pam_afs.so" entries in the correct order relative to
other entries in this file?
2) Do I need all the PAM configuration files I am listing?
3) Do I need to create a local user with the same id/password as my AFS id
on a Linux system? Or can I somehow login, obtain an AFS token, and startup
in my AFS home?  (I do this on my AIX system and was hoping to do the same
on Linux.)

I have been able to login to RedHat Linux 7.3 as root, klog with my AFS id,
and access my AFS cell, which is great.  But I would sure like to figure
out how to get the integrated login to work, with my normal id.

Many Thanks in Advance to anyone that can help.

(/etc/pam.d/login)
#%PAM-1.0
auth       required     /lib/security/pam_securetty.so
auth       required     /lib/security/pam_stack.so service=system-auth
auth       required     /lib/security/pam_nologin.so
auth       sufficient   /lib/security/pam_afs.so try_first_pass ignore_root
account    required     /lib/security/pam_stack.so service=system-auth
password   required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_stack.so service=system-auth
session    optional     /lib/security/pam_console.so
session    optional     /lib/security/pam_afs.so

(/etc/pam.d/samba)
auth       required   /lib/security/pam_afs.so ignore_uid 100 set_token
#
#Here, users with uid>100 are considered to belong to AFS and users with
#uid<=100 are ignored by pam_afs.

(/etc/pam.d/xscreensaver)
#%PAM-1.0
auth       sufficient   /lib/security/pam_afs.so ignore_uid 100 refresh_token
auth       required     /lib/security/pam_stack.so service=system-auth

(/etc/pam.d/httpd)
auth       required   /lib/security/pam_afs.so ignore_uid 100 dont_fork

(/etc/pam.d/su)
#%PAM-1.0
auth       sufficient   /lib/security/pam_afs.so ignore_uid 100
auth       sufficient   /lib/security/pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth       sufficient   /lib/security/pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth       required     /lib/security/pam_wheel.so use_uid
auth       required     /lib/security/pam_stack.so service=system-auth
account    required     /lib/security/pam_stack.so service=system-auth
password   required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_stack.so service=system-auth
session    optional     /lib/security/pam_afs.so no_unlog
session    optional     /lib/security/pam_xauth.so

(/etc/pam.d/xdm)
#%PAM-1.0
auth       required     /lib/security/pam_stack.so service=system-auth
auth       required     /lib/security/pam_nologin.so
auth       sufficient   /lib/security/pam_afs.so ignore_uid 100 use_klog
account    required     /lib/security/pam_stack.so service=system-auth
password   required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_stack.so service=system-auth
session    optional     /lib/security/pam_afs.so remainlifetime 10
session    optional     /lib/security/pam_console.so

Stan Gowen   (sgowen@us.ibm.com)
STI Design Center - Software Development
Off: (512)838-8284    Fax: (512)838-1929   B906/3001A
IBM, 11501 Burnet Rd., Austin, TX  78758