[OpenAFS] integrated logon for Solaris and AFS

J S vervoom@hotmail.com
Tue, 27 Apr 2004 16:45:06 +0000

> > >I'm put in the unfortunate position of recommending the PAM module;
> > >However, you seem intent on going down with the ship.
> > >
> > >-D
> > >
> >
> > Thanks for that D. Sorry if this is a stupid question (I really don't 
> > much about PAM or Kerberos!) but if I set up PAM, will this affect any 
> > users?
>Well, given what you want to do, i suspect setting up auth modules such
>that pam_unix.so or whatever sun calls theirs as sufficient, and
>pam_afs.so as any of sufficient, required or requisite *after* pam_unix
>will result in local passwords being tried first, then afs passwords if
>there's a failure, and as long as your one user has a different local and
>afs password, no one will be the wiser.
>Reversing the order means afs passwords will be tried first. If none of
>the other users have afs authentication accounts, it should be the same,
>but doing unix first and afs after is probably safer in a
>loosely-afs-supported configuration.
Well I'm a bit closer now! I set up the pam module but when I logged in 
successfully I was then prompted for the "AFS password: "
This is how I have things set up at the moment with pam_unix.so.1 as 
required and pam_afs.so.1 as optional.

login   auth required   /usr/lib/security/pam_unix.so.1
login   auth required   /usr/lib/security/pam_dial_auth.so.1
login   auth optional   /usr/lib/security/pam_afs.so.1

Is this wrong?

Sign-up for a FREE BT Broadband connection today!