[OpenAFS] Something like $HOME in afs?
Tue, 31 Jan 2006 15:23:54 -0600
On 1/31/06, John Lockard <firstname.lastname@example.org> wrote:
> When they log in on the Linux box, what are you using to know
> what the user's home directory is (LDAP, /etc/passwd file, etc.)?
> That should be your basis.
Actually, your question leads me to confess some idiocy in our setup.
On campus, there are too many competing factions on the campus who
endorse Novell, Windows-AD, AFS, etc. As it currently stands, I've
set it so Linux users are authenticated by the AFS system itself, but
the information about where to find home is just in the Linux system
configuration. That is, $HOME is always /home/$USER.
AFS can authenticate users, but the system uses nsswitch to find user
info in a separate LDAP server (which I do not control), and so if the
user does not have a name in LDAP, then the login is rejected. Even
if the user never gives a valid LDAP password, and just uses the AFS
password, the login will work, as long as LDAP has that name in there.
I don't understand why the LDAP server is giving the information the
system wants without a password. Maybe the admins here would call it a
If user does not put in a valid AFS password, then the password is
checked against LDAP. It works, anyway.
Here's what I have for PAM system-auth.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_afs.so use_first_pass
auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so broken_shadow
account sufficient /lib/security/$ISA/pam_localuser.so
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 qu=
account [default=3Dbad success=3Dok user_unknown=3Dignore]
account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3D3
password sufficient /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_mkhomedir.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session optional /lib/security/$ISA/pam_ldap.so
Paul E. Johnson
Professor, Political Science
1541 Lilac Lane, Room 504
University of Kansas