[OpenAFS] Replacing flaky LDAP server with local files. Help?
Wed, 8 Feb 2006 10:22:41 -0600
On Fedora Core 4 linux systems, OpenAFS-client has been running pretty
I let users authenticate against our new OpenAFS server, and if that
fails, the PAM stack checks an LDAP server, where all users also have
accounts. If that fails, then it checks the local files. Then if the
AFS user is authenticated, the system uses user/group information from
the LDAP system.
The LDAP server, howerver, is unstable lately, probably because of
poor connectivity. I get long timeouts waiting for the LDAP server to
answer. So it occurs to me I can create user accounts on the local
machines and AS LONG AS I give them the same uid and gid information
that the LDAP currently has, then they should still be able to access
files in $HOME. Right?
But I don't want to manage their login passwords in the local
machines. I want to leave that up to the AFS server. But if I use
"useradd" to create users, it wants me to set passwords.
What steps do you think I have to take on the local machine to make
this work? My *guess* is that this might work to eliminate the ldap
stuff from the system-auth file and nsswitch and create users, but I'm
uncertain about user passwords on the local machine.
Here's the system-auth file.
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_afs.so use_first_pass
auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so broken_shadow
account sufficient /lib/security/$ISA/pam_localuser.so
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 qu=
account [default=3Dbad success=3Dok user_unknown=3Dignore]
# account [default=3Dbad success=3Dok user_unknown=3Dignore]
account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3D3
password sufficient /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_mkhomedir.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session optional /lib/security/$ISA/pam_ldap.so
session optional /lib/security/$ISA/pam_afs.so
Paul E. Johnson
Professor, Political Science
1541 Lilac Lane, Room 504
University of Kansas