[OpenAFS] Need help getting OpenAFS integrated login working on
Linux RedHat 7.3
Charles Clancy
security@xauth.net
Wed, 29 May 2002 17:14:16 -0500 (CDT)
> 3) Do I need to create a local user with the same id/password as my AFS id
> on a Linux system?
Sort of. You need a local user with no usable password -- that is,
something like "*NP*" in /etc/shadow.
> Or can I somehow login, obtain an AFS token, and startup
> in my AFS home? (I do this on my AIX system and was hoping to do the same
> on Linux.)
Yes, but if you're doing this from home, over DSL or something similar,
the lag may become annoying.
Personally, I'd suggest something like:
ln -s /afs/@cell/users/.../username/ ~/afshome
Then, you can log in normally. If you're online, and want to get to your
files, just klog and cd ~/afshome.
> (/etc/pam.d/login)
> #%PAM-1.0
> auth required /lib/security/pam_securetty.so
> auth required /lib/security/pam_stack.so service=system-auth
> auth required /lib/security/pam_nologin.so
> auth sufficient /lib/security/pam_afs.so try_first_pass ignore_root
> account required /lib/security/pam_stack.so service=system-auth
> password required /lib/security/pam_stack.so service=system-auth
> session required /lib/security/pam_stack.so service=system-auth
> session optional /lib/security/pam_console.so
> session optional /lib/security/pam_afs.so
For "auth", try:
auth required /lib/security/pam_securetty.so
auth sufficient /lib/security/pam_afs.so try_first_pass ignore_root
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_nologin.so
The rest should be fine.
> (/etc/pam.d/samba)
> auth required /lib/security/pam_afs.so ignore_uid 100 set_token
> #
> #Here, users with uid>100 are considered to belong to AFS and users with
> #uid<=100 are ignored by pam_afs.
Umm... unless you're using samba, you don't need this file. It takes a
lot of work to get AFS and Samba to play together nicely.
> (/etc/pam.d/xscreensaver)
> #%PAM-1.0
> auth sufficient /lib/security/pam_afs.so ignore_uid 100 refresh_token
> auth required /lib/security/pam_stack.so service=system-auth
Looks good -- however I think "ignore_uid 100" only ignores that single
UID. In most cases, I'd recommend just using "ignore_root".
> (/etc/pam.d/httpd)
> auth required /lib/security/pam_afs.so ignore_uid 100 dont_fork
Again, unless you're using some sort of apache module for PAM
autentication, you don't need this.
> (/etc/pam.d/su)
> #%PAM-1.0
> auth sufficient /lib/security/pam_afs.so ignore_uid 100
> auth sufficient /lib/security/pam_rootok.so
> # Uncomment the following line to implicitly trust users in the "wheel" group.
> #auth sufficient /lib/security/pam_wheel.so trust use_uid
> # Uncomment the following line to require a user to be in the "wheel" group.
> #auth required /lib/security/pam_wheel.so use_uid
> auth required /lib/security/pam_stack.so service=system-auth
> account required /lib/security/pam_stack.so service=system-auth
> password required /lib/security/pam_stack.so service=system-auth
> session required /lib/security/pam_stack.so service=system-auth
> session optional /lib/security/pam_afs.so no_unlog
> session optional /lib/security/pam_xauth.so
Looks fine.
> (/etc/pam.d/xdm)
> #%PAM-1.0
> auth required /lib/security/pam_stack.so service=system-auth
> auth required /lib/security/pam_nologin.so
> auth sufficient /lib/security/pam_afs.so ignore_uid 100 use_klog
> account required /lib/security/pam_stack.so service=system-auth
> password required /lib/security/pam_stack.so service=system-auth
> session required /lib/security/pam_stack.so service=system-auth
> session optional /lib/security/pam_afs.so remainlifetime 10
> session optional /lib/security/pam_console.so
I know that on my redhat 7.2 machine, this file isn't used. You should
modify /etc/pam.d/gdm if you're using the graphical login screen.
For console logins to work, all you need to do is modify /etc/pam.d/login.
For graphical logins, /etc/pam.d/gdm. For unlocking your screensaver
(gnome only, I think -- you're screwed if you're using KDE) edit
/etc/pam.d/xscreensaver.
Depending on your setup, you may want to edit files such as
/etc/pam.d/[sshd|telnet|ftp]
Also, with Redhat's pam arrangement, you can just edit
/etc/pam.d/system-auth, and include the AFS settings there, and everything
else will magically work, because they call pam_stack.so which processes
the settings in the service argument.
[ t charles clancy ]-[ tclancy@uiuc.edu ]-[ uiuc.edu/~tclancy ]