[OpenAFS] integrated logon for Solaris and AFS

Derrick J Brashear shadow@dementia.org
Tue, 27 Apr 2004 11:43:02 -0400 (EDT)

On Tue, 27 Apr 2004, J S wrote:

> >I'm put in the unfortunate position of recommending the PAM module;
> >However, you seem intent on going down with the ship.
> >
> >-D
> >
> Thanks for that D. Sorry if this is a stupid question (I really don't know
> much about PAM or Kerberos!) but if I set up PAM, will this affect any other
> users?

Well, given what you want to do, i suspect setting up auth modules such
that pam_unix.so or whatever sun calls theirs as sufficient, and
pam_afs.so as any of sufficient, required or requisite *after* pam_unix
will result in local passwords being tried first, then afs passwords if
there's a failure, and as long as your one user has a different local and
afs password, no one will be the wiser.

Reversing the order means afs passwords will be tried first. If none of
the other users have afs authentication accounts, it should be the same,
but doing unix first and afs after is probably safer in a
loosely-afs-supported configuration.