[OpenAFS] using openafs to authenticate logins on linux systems (Fedora Core 4)

Paul Johnson pauljohn32@gmail.com
Thu, 19 Jan 2006 23:34:25 -0600

Dear openafs-info members:

Sorry to mail bomb you. I'm the same one who just wrote about slow
klog response.  This is a different question altogether.

We have been using an  LDAP server to authenticate users in our Linux
lab.  Setting that up in /etc/pam.d was a bit tricky.  I wondered if
the local AFS server could be used to authenticate users.  In the
OpenAFS documentation, it seems to say I still need to use the LDAP
authenication, and then use klog to allow users to access their afs
shares.  When the openafs RPM installs, it offers advice to add this
to the PAM stack in order to allow users to get a token at login:

auth        sufficient    /lib/security/$ISA/pam_afs.so try_first_pass

That is the same as running klog, as far as I understand it. Right?

I find, however, that the AFS server is quite a bit more useful than
expected.  It seems it can replace the LDAP server for authentication
service.  Below I paste in /etc/pam.d/system-auth where I've commented
out the LDAP elements and added only the one afs line.   After
restarting, I find that I CAN log in with my AFS username/password.=20
The system is apparently able to get enough of the other user
information it needs from LDAP.  The NSS configuration is still set to
use ldap, and I see in the output of "netstat -a" that 2 connections
are opened to the LDAP server.  I believe the system is getting the
user ID and group ID numbers from that server, because when I type
"id", the UID and GID information returned matches the numbers on the
LDAP server.

Anyway, I was confused in looking at the AFS documents and wanted to
follow up about it.  I did not have to make any changes to the Display
manager (gdm) besides putting this one little bit in system-auth.=20
Maybe it only works because the user account has been used on this
machine before?  I guess I'll have to test.

# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_afs.so try_first_pass
# auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass

auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so broken_shadow
account     sufficient    /lib/security/$ISA/pam_localuser.so
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 qu=
#account     [default=3Dbad success=3Dok user_unknown=3Dignore]
account     required      /lib/security/$ISA/pam_permit.so

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3D3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow

# password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session    required     /lib/security/$ISA/pam_mkhomedir.so
skel=3D/etc/skel/ umask=3D0022
session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
# session     optional      /lib/security/$ISA/pam_ldap.so
Paul E. Johnson
Professor, Political Science
1541 Lilac Lane, Room 504
University of Kansas