[OpenAFS] pam when server is down (again)

Charles Clancy security@xauth.net
Fri, 8 Nov 2002 12:18:29 -0600 (CST)


> but I still have problems with login into a client
> when the afs server is down.
>
> login	auth       requisite  pam_securetty.so
> login	auth       required   pam_unix.so
> login	auth       sufficient pam_afs.so debug try_first_pass ignore_root
> login	auth       optional   pam_group.so

So, in order to log in, people need both a UNIX account and an AFS
account?  I think the following would be better:
  login	auth       sufficient pam_unix.so
  login	auth       required pam_afs.so debug try_first_pass

Now, if they have a local account, it will let them log in, and completely
ignore AFS authentication (good if AFS is down).  However, if they don't
have a local account, it will fall through to AFS authentication.

The problem is that if all your users have both local and AFS accounts, my
suggested scheme will always bypass AFS authentication.

There's no real way to have it automatically retrieve an AFS token for a
local users iff AFS is up and running.  It might be a useful addition to
the module, however.

[ t charles clancy ]--[ tclancy@uiuc.edu ]--[ www.uiuc.edu/~tclancy ]