[OpenAFS] account support in pam_afs.so?
Todd M. Lewis
Todd_Lewis@unc.edu
Wed, 11 Jun 2003 07:45:19 -0400
Charles Clancy wrote:
> On Tue, 11 Jun 2003, Karl Bowden wrote:
>
>
>>I do not want to resort to merging all afs users into each machines
>>/etc/passwd file, as that has the potential to get messy real quick, and
>>is not a very clean solution in regards to what pam was designed for. So
>>is it possible to use pam_afs.so to retrive account information from kas
>>or some other place to store the information?
>
>
> *NIX uses NSS for account information, not PAM. Hence, no PAM module
> could solve your problem. Perhaps what you need is to write an NSS (name
> service switch) module to suit your needs.
I doubt NSS is going to solve all of the problem, but since you brought
it up...
...I put together a simple NSS module that looks up stuff in pts.
Originally written to keep sendmail from barfing when sending email on
behalf of users' non-null instances (i.e., ids not in the /etc/passwd),
it's useful to me because it makes ls show the names of file owners for
files in our cell even when my local AFS client doesn't know about those
ids.
Grab it at http://tarna.oit.unc.edu/~utoddl/nss_pts_0.1.tgz if you're
interested. There's code in there to support Solaris, IRIX, and HPUX,
(all shamelessly snarfed from the SMB project, so it's GPL) though I've
only ever run it on Linux.
From the top of the README:
> September 13, 2002
>
> This code implements an nsswitch module for looking up PTS entries
> through the getpwuid() library call. Be warned that the password
> entry returned through this interface is partially bogus, and may
> include a pw_uname that is longer than 8 characters.
>
> The code as distributed works under Linux, but has not been
> successfully run under Solaris. Other OSes have not been
> attempted.
>
> Whether this is a good idea at all is an open question.
Cheers,
--
+-------------------------------------------------------------+
/Todd_Lewis@unc.edu 919-962-5273 http://www.unc.edu/~utoddl /
/ A picture is worth a thousand words, or in the case of /
/ modern art, the same word repeated a thousand times. /
+-------------------------------------------------------------+