[OpenAFS] pam and OpenAFS
Ron Croonenberg
ronc@depauw.edu
Thu, 27 Oct 2005 19:45:26 -0500
Correct it does... and yes because of a problem with nsswitch it did
just that to me.
ssh works now.
right now I am scratching my head about loging in with x-windows.
Ron
>>> <lamont@scriptkiddie.org> 10/27/05 7:38 PM >>>
I believe that openssh does getpwnam() and unless you have nss_ldap
configured or you have the user in /etc/passwd+shadow, or have nss
configured via some other means, sshd will consider the user 'invalid'
and
fail. I thought there was a config option that would relax this check,
but I can't find it... (I think I'm getting confused with the
LOCKED_PASSWD_PREFIX feature of sshd there...)
On Thu, 27 Oct 2005, Ron Croonenberg wrote:
> We do use ldap.
>
> However what confuses me is why the system-auth that I have works on
> every other linux machine I have.
> Basically those clients don't have have any "local" accounts. we use
> ldap for account info and with this in "system-auth" (below) anyone
with
> an afs account can login on that machine.
>
> *** system-auth , (auth section) ***
> auth required /lib/security/$ISA/pam_env.so
> auth sufficient /lib/security/$ISA/pam_unix.so likeauth
nullok
> auth sufficient /lib/security/$ISA/pam_afs.so use_first_pass
> auth sufficient /lib/security/$ISA/pam_ldap.so
use_first_pass
> auth required /lib/security/$ISA/pam_deny.so
>
>
>
> Ron
>
>>>> Derrick J Brashear <shadow@dementia.org> 10/27/05 2:31 PM >>>
> you need a local userid or something like nis or ldap. there's no
issue
>
> Derrick
>
> On Thu, 27 Oct 2005, Ron Croonenberg wrote:
>
>> Hi Derrick,
>>
>> yes then it works. (and yes I use shadow)
>>
>> When the username is in /etc/passwd and nthe password is different
> then
>> the afs password it does get logged in, get's an afs token and get's
>> the uid homedirectory shell info etc from ldap.
>>
>> However, when I don't have a "local" userid, it doesn't work.
>>
>> (Sounds like it is not an OpenAFS issue, but there must be more
people
>> that ran into that problem)
>>
>> Ron
>>
>>>>> Derrick J Brashear <shadow@dementia.org> 10/27/05 12:48 PM >>>
>> And the username in question is listed in /etc/passwd (and
/etc/shadow
>> if you use shadow) right?
>>
>> On Thu, 27 Oct 2005, Ron Croonenberg wrote:
>>
>>> I am trying to debug pam loging in to afs.
>>>
>>> Before pam_afs and pam_unix are used sshd already complains that the
>>> user that I try to login with is an illegal user.
>>> (oort sshd[68250]: Illegal user cowboy from aaa.bbb.ccc.ddd)
>>>
>>> Does that mean that sshd is not aware that there are other accounts,
>>> OpenAFS accounts, then local accounts ?
>>> If that's the case how do I make sshd afs aware ?
>>>
>>> (on "other" linux machines I never ran into that problem)
>>>
>>> thanks,
>>>
>>> Ron
>>>
>>> _______________________________________________
>>> OpenAFS-info mailing list
>>> OpenAFS-info@openafs.org
>>> https://lists.openafs.org/mailman/listinfo/openafs-info
>>>
>> _______________________________________________
>> OpenAFS-info mailing list
>> OpenAFS-info@openafs.org
>> https://lists.openafs.org/mailman/listinfo/openafs-info
>>
>>
>
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>