[OpenAFS] Can OpenAFS be the only authenticating "entity"

Brandon S. Allbery KF8NH allbery@ece.cmu.edu
Wed, 1 Feb 2006 00:01:27 -0500

On Feb 1, 2006, at 5:41 , Leroy Tennison wrote:

> I know about integrated login but is it possible to create a Linux  
> and/or Windows configuration where OpenAFS is the only  
> "authenticator" meaning that there is no need for IDs/passwords in  
> local files or another authentication service like NIS, LDAP,  
> Samba, AD, etc?  If so, can you point me to information on how to  
> do it?  Maybe I'm just not thinking clearly but nothing is coming  
> to mind.  Thanks for any input.

Not really.

1. For Windows to get all the extra permissions it hides in its  
Kerberos 5 tickets, you need to use AD (or possibly recent Samba).

2. AFS can provide passwords via some form of Kerberos, and in theory  
you could get user IDs via an nsswitch module that queried pts; but  
there's no way to get home directories, Unix groups (which are very  
different from AFS groups), shells, etc.

3. Unless all your Unix systems are completely homogeneous (i.e. not  
even different releases of the same vendor's OS), you'll find that  
every system has different uids and gids for system accounts and you  
can't safely change them around to fit pts's ideas.

3a.  AFS admin (almost always pts id 1) would be a very bad thing to  
map to Unix uid 1.

4. If you ever need to work on a Unix machine in single-user mode  
without network, you will need local accounts for at minimum root and  
the system accounts.

I think the best you could do right now is using AD for Kerberos+LDAP  
with a Unix schema added; but pts needs to remain separate, although  
I think someone may be poking at LDAP-backed pts.

brandon s. allbery     [linux,solaris,freebsd,perl]       
system administrator  [openafs,heimdal,too many hats]   
electrical and computer engineering, carnegie mellon university