[OpenAFS] pam and OpenAFS

Todd M. Lewis Todd_Lewis@unc.edu
Thu, 27 Oct 2005 15:30:13 -0400 

That's not a problem; that's how it's supposed to work.

Think about it this way. Say you have a cell with, oh, 40,000 active 
users (like us), and your desktop machine is an AFS client. How do you 
control which of those 40,000 people can login to your machine?  You 
only put in /etc/passwd those people you want to be able to login.

[You old timers who've heard this propup bit before can stop reading. Bye.]

However, sometimes you set up a machine that you want anybody in your 
cell to be able to login to. In that case, you can update your 
/etc/passwd whenever you add people to your cell. Or you can make a 
variant of http://www.unc.edu/~utoddl/propup.tar.gz. Propup is a little 
pam module that reads a list of valid ids from a file in AFS and if 
necessary updates your /etc/passwd file with a new entry if the user 
trying to login is not already there and he should be. Feel free to 
modify it to get its data from wherever you like. This was a 
quick-n-dirty excuse to play with pam, and although it works, it's still 
dirty. :)

Cheers,
-- 
    +--------------------------------------------------------------+
   / Todd_Lewis@unc.edu  919-962-5273  http://www.unc.edu/~utoddl /
  /        Those who jump off a Paris bridge are in Seine.       /
+--------------------------------------------------------------+


Ron Croonenberg wrote:
> Hi Derrick,  
> 
> yes then it  works. (and yes I use shadow)
> 
> When the username is in /etc/passwd and nthe password is different then
> the  afs password it does get logged in, get's an afs token and get's
> the uid homedirectory shell info etc from ldap.
> 
> However, when I don't have a "local" userid, it doesn't work.
> 
> (Sounds like it is not an OpenAFS issue, but there must be more people
> that ran into that problem)
> 
> Ron
> 
> 
>>>>Derrick J Brashear <shadow@dementia.org> 10/27/05 12:48 PM >>>
> 
> And the username in question is listed in /etc/passwd (and /etc/shadow
> if you use shadow) right?
> 
> On Thu, 27 Oct 2005, Ron Croonenberg wrote:
> 
> 
>>I am trying to debug pam loging in to afs.
>>
>>Before pam_afs and pam_unix are used sshd already complains that the
>>user that I try to login with is an illegal user.
>>(oort sshd[68250]: Illegal user cowboy from aaa.bbb.ccc.ddd)
>>
>>Does that mean that sshd is not aware that there are other accounts,
>>OpenAFS accounts, then local accounts ?
>>If that's the case how do I make sshd afs aware ?
>>
>>(on "other" linux machines I never ran into that problem)
>>
>>thanks,
>>
>>Ron