[OpenAFS] pam when server is down (again)
Charles Clancy
security@xauth.net
Fri, 8 Nov 2002 12:18:29 -0600 (CST)
> but I still have problems with login into a client
> when the afs server is down.
>
> login auth requisite pam_securetty.so
> login auth required pam_unix.so
> login auth sufficient pam_afs.so debug try_first_pass ignore_root
> login auth optional pam_group.so
So, in order to log in, people need both a UNIX account and an AFS
account? I think the following would be better:
login auth sufficient pam_unix.so
login auth required pam_afs.so debug try_first_pass
Now, if they have a local account, it will let them log in, and completely
ignore AFS authentication (good if AFS is down). However, if they don't
have a local account, it will fall through to AFS authentication.
The problem is that if all your users have both local and AFS accounts, my
suggested scheme will always bypass AFS authentication.
There's no real way to have it automatically retrieve an AFS token for a
local users iff AFS is up and running. It might be a useful addition to
the module, however.
[ t charles clancy ]--[ tclancy@uiuc.edu ]--[ www.uiuc.edu/~tclancy ]