[OpenAFS] Something like $HOME in afs?

Paul Johnson pauljohn32@gmail.com
Tue, 31 Jan 2006 15:23:54 -0600

On 1/31/06, John Lockard <jlockard@umich.edu> wrote:
> When they log in on the Linux box, what are you using to know
> what the user's home directory is (LDAP, /etc/passwd file, etc.)?
> That should be your basis.
> -John

Actually, your question leads me to confess some idiocy in our setup.

On campus, there are too many competing factions on the campus who
endorse Novell, Windows-AD, AFS, etc.  As it currently stands, I've
set it so Linux users are authenticated by the AFS system itself, but
the information about where to find home is just in the Linux system
configuration.  That is, $HOME is always /home/$USER.

AFS can authenticate users, but the system uses nsswitch to find user
info in a separate LDAP server (which I do not control), and so if the
user does not have a name in LDAP, then the login is rejected.  Even
if the user never gives a valid LDAP password, and just uses the AFS
password, the login will work, as long as LDAP has that name in there.
 I don't understand why the LDAP server is giving the information the
system wants without a password. Maybe the admins here would call it a
security  hole.

If user does not put in a valid AFS password, then the password is
checked against LDAP.  It works, anyway.

Here's what I have for PAM system-auth.

auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_afs.so use_first_pass
auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass

auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so broken_shadow
account     sufficient    /lib/security/$ISA/pam_localuser.so
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 qu=
account     [default=3Dbad success=3Dok user_unknown=3Dignore]
account     required      /lib/security/$ISA/pam_permit.so

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3D3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow

password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session    required     /lib/security/$ISA/pam_mkhomedir.so
skel=3D/etc/skel/ umask=3D0022
session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_ldap.so

Paul E. Johnson
Professor, Political Science
1541 Lilac Lane, Room 504
University of Kansas