[OpenAFS] OpenAFS and LInux PAM

Derek Atkins warlord@MIT.EDU
28 Sep 2002 16:47:29 -0400 

Raymond <support@bigriverinfotech.com> writes:

> I would like to create user system accounts with a /bin/false shell (this has 
> worked will with FTP and PAM in the past). All users will be Win2k / XP 
> clients. The disadvantage has been that the user cannot change his or her 
> password. When utilizing this configuration, no FTP user account is created 
> as any authentication requests are forwarded to the system for a valid user 
> and password.

I'm not sure what you are trying to accomplish here....  In order for a user
to login, they need:
        1) an entry in /etc/passwd (or NIS, or Hesiod, etc.)
        2) a valid shell in said entry
        3) a password that is accepted by the system

PAM+OpenAFS can be configured supply/verify #3 -- it cannot supply/verify
#1 or #2.

> In the case of Linux (rh73) OpenAFS and PAM, do I bypass creating the users 
> and passwords, instead creating home directories, permissions, 
> subdirectories, mount points and volumes? Or will OpenAFS create the system 
> accounts via PAM. If so, what about existing system accounts?

If you want to enable a user to login, they must have an /etc/passwd
entry with valid shell.

> Should AFS-specific user and group accounts such as anyuser be created as 
> system user and group accounts when using PAM?

No.

> Will kpasswd change the system password when utilizing PAM system 
> authentication?

No.

> The documentation discusses HOW to configure OpenAFS and PAM but does clearly 
> detail the interaction. Perhaps someone could post a separate doc on this.

The interaction is simple:  AFS (via KAServer) provides an Authentication
system...  You can use that in lieu of local passwords.  You also need to
obtain AFS tokens to access AFS files, and PAM can do that for you as well.

> Lastly, as Redhat kernels update so frequently, would someone consider posting 
> a Redhat-distro-specific kernel.src.rpm that could be configured with 
> --rebuild and --define 'kernel <kernel>' args.  This would make life much 
> easier for may of us Redhat Network subscribers (and probably the OpenAFS 
> maintainers).

There is already the openafs-kernels-source package.  Building individual
modules for individual kernels would be a lot of work for _me_ (the RPM
maintainer).  If someone else wants to supply me the glue such that all
I need to do is run a single rpm invocation to build all the modules for
all the kernels available, I'll consider it.  It would involve at least:

1) supplying an openafs-kernel SPEC file
2) creating the glue in the openafs SPEC file to re-run RPM on the
   openafs-kernel spec file for every kernel..

I have no objection to this change in theory..  In fact I'd kind of
prefer this method for the next "major" OpenAFS release (1.3 or 1.4 or
2.0, whichever happens "next").  Then again, I plan to make a number
of changes around then (moving to non-transarc-paths, maybe dropping
support for certain OS versions, etc).

> Thanks in advance
> 
> Raymond

-derek

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available