[OpenAFS] Replacing flaky LDAP server with local files. Help?

Paul Johnson pauljohn32@gmail.com
Wed, 8 Feb 2006 10:22:41 -0600 

On Fedora Core 4 linux systems, OpenAFS-client has been running pretty
good lately.

I let users authenticate against our new OpenAFS server, and if that
fails, the PAM stack checks an LDAP server, where all users also have
accounts.  If that fails, then it checks the local files.  Then if the
AFS user is authenticated, the system uses user/group information from
the LDAP system.

The LDAP server, howerver, is unstable lately, probably because of
poor connectivity.  I get long timeouts waiting for the LDAP server to
answer.  So it occurs to me I can create user accounts on the local
machines and AS LONG AS I give them the same uid and gid information
that the LDAP currently has, then they should still be able to access
files in $HOME.  Right?

But I don't want to manage their login passwords in the local
machines. I want to leave that up to the AFS server.  But if I use
"useradd" to create users, it wants me to set passwords.

What steps do you think I have to take on the local machine to make
this work?  My *guess* is that this might work to eliminate the ldap
stuff from the system-auth file and nsswitch and create users, but I'm
uncertain about user passwords on the local machine.

Here's the system-auth file.

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_afs.so use_first_pass
ignore_root
auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass

auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so broken_shadow
account     sufficient    /lib/security/$ISA/pam_localuser.so
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 qu=
iet
account     [default=3Dbad success=3Dok user_unknown=3Dignore]
/lib/security/$ISA/pam_ldap.so
# account     [default=3Dbad success=3Dok user_unknown=3Dignore]
/lib/security/$ISA/pam_afs.so
account     required      /lib/security/$ISA/pam_permit.so

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3D3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow

password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so


session    required     /lib/security/$ISA/pam_mkhomedir.so
skel=3D/etc/skel/ umask=3D0022
session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_ldap.so
session     optional      /lib/security/$ISA/pam_afs.so
~


--
Paul E. Johnson
Professor, Political Science
1541 Lilac Lane, Room 504
University of Kansas