[OpenAFS] Problem with PAM

Roberto.Gomezel@ts.infn.it Roberto.Gomezel@ts.infn.it
Tue, 21 Jan 2003 10:18:03 +0100 

On a system running Linux RedHat 7.3 with OpenAFS 1.2.8, which is also a 
NIS client, we are trying to set up users' authentication in order to get 
the following:

- if a user is registered under NIS, but does not have an AFS account,
  he/she should be able to log in by using his/her NIS password;
- if he/she is registered under both NIS and AFS, he/she should be able to 
  log in by using either the NIS or the AFS passwords; preferrably, the 
  AFS password should be tried first in order to try getting the AFS 
  token;

Probably it's just a matter of setting up the PAM configuration files. 
We tried this (for ssh, for instance):

# cat /etc/pam.d/sshd
#%PAM-1.0
auth       sufficient   /lib/security/pam_afs.so   try_first_pass  ignore_root
auth       required     /lib/security/pam_stack.so service=system-auth
auth       required     /lib/security/pam_nologin.so
account    required     /lib/security/pam_stack.so service=system-auth
password   required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_limits.so
session    optional     /lib/security/pam_console.so

# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
auth        required      /lib/security/pam_deny.so

account     required      /lib/security/pam_unix.so

password    required      /lib/security/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/pam_unix.so nullok use_authtok nis
password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so

This gives undesired results: if a user does not have an AFS account, 
he/she is not able to log in through ssh just by using his/her NIS 
password. The authentication succeeds only if the user has both an AFS and 
a NIS account with the same password.

Any hints?

Thanks in advance
   Roberto Gomezel
     INFN - ITALY