[OpenAFS] Problem with PAM

Charles Clancy security@xauth.net
Tue, 21 Jan 2003 13:56:42 -0600 (CST)

On Tue, 21 Jan 2003 Roberto.Gomezel@ts.infn.it wrote:

> - if a user is registered under NIS, but does not have an AFS account,
>   he/she should be able to log in by using his/her NIS password
> - if he/she is registered under both NIS and AFS, he/she should be able to
>   log in by using either the NIS or the AFS passwords; preferrably, the
>   AFS password should be tried first in order to try getting the AFS
>   token;

So you want something like:
	sufficient pam_afs.so ignore_root
	required pam_unix.so use_first_pass

If you switched pam_unix and pam_afs, then AFS users would be
authenticated by NIS and never get a token.

> # cat /etc/pam.d/sshd

Leave the file for sshd alone.

> # cat /etc/pam.d/system-auth

Try these:

auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_afs.so ignore_root
auth        sufficient    /lib/security/pam_unix.so use_first_pass
auth        required      /lib/security/pam_deny.so

account     required      /lib/security/pam_unix.so

password    required      /lib/security/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/pam_unix.so nullok use_authtok nis
password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so
session     optional      /lib/security/pam_afs.so