[OpenAFS] Kerberos V, users, passwd, shadow, alternatives

Andrew Bacchi bacchi@rpi.edu
03 Mar 2004 12:04:25 -0500


Kevin,

You certainly haven't left any questions out.  My replies below. It
should work for Suse. 

On Wed, 2004-03-03 at 11:26, Kevin wrote:

> 

> As would most people I guess, I'd like to have all AFS 
> user data (stuff found in /etc/passwd (login shell, 
> unix uid, unix gid, Name, home directory), /etc/shadow 
> (password and related data), the kerberos database 
> (principals and their privileges), openafs acls, 
> openafs uid, etc.) be centrally located, universally 
> accessible, and easy to maintain.
> 
> Based on the docs I've read thus far, I should be 
> making a common /etc/passwd file on AFS and merging it 
> with each client machine's /etc/passwd file whenever a 
> change is made to the AFS /etc/passwd file using cron 
> or something.
> 
> My question(s) is/are:
> 
> Is that still the best way to do this?
> 
> And what about /etc/shadow?  Do I need to write a 
> script for shadow that is similar to that found in the 
> docs on merging the AFS /etc/passwd file with each 
> client machine's /etc/passwd file?
> 
> For my purposes, except for each client machine's root 
> account, I'd like to have all users be authenticated 
> from a single (perhaps replicated) source, and not 
> have any user accounts on each client machine's local 
> authentication source (no local users except 
> root---only Kerberos users for the network)

.
May I suggest researching LDAP.  It will provide the central data source
you are looking for.  You can store all users, hosts, groups, etc. in
the LDAP database and access that at login to provide more info than
/etc/passwd.  Very adaptable.

Also, pam modules (pluggable authentication module) will enable you to
limit users/groups access to any particular machine.  Works nicely in
concert with LDAP.

> 
> Or even, is there a way to make a "network superuser" 
> that would have root access to all client computers?  
> Or is that a bad idea?  What do people do for the root 
> password on each client machine when there are 
> hundreds (or more) client machines?  Make them all the 
> same?  Keep a database of machines and their root 
> passwords handy?  Just curious...

Pam again.  Or if you have a need to update client machines on a regular
basis, 'package' can be compiled into OpenAFS (see the Transarc
documentation for this).  This will enable you to push out config
changes, upgrades, etc to local clients.  Not a good idea to keep root
passwords lying around.
> 
> I'm sure someone else besides me has encountered this 
> issue.  Care to share your ideas on the best way to do 
> this?  I guess LDAP is an option, but I haven't done 
> much with that.  What are others in similar 
> circumstances doing?

LDAP isn't as difficult as getting AFS and Kerb5 working together. 
You've already done the hard part.  You won't have difficulty with
LDAP.  Just don't plan on LDAP for auth, keep the kerberos for ticket
granting.

-- 
Facade: Provide a unified interface to a set of interfaces in a
subsystem.

Andrew Bacchi
Staff Systems Programmer
Rensselaer Polytechnic Institute
phone: 518 276-6415  fax: 518 276-2809

http://www.rpi.edu/~bacchi/