/[gentoo]/xml/htdocs/doc/en/openafs.xml
Gentoo

Diff of /xml/htdocs/doc/en/openafs.xml

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

Revision 1.16 Revision 1.17
1<?xml version='1.0' encoding="UTF-8"?> 1<?xml version='1.0' encoding="UTF-8"?>
2<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/openafs.xml,v 1.16 2004/09/20 09:49:07 neysx Exp $ --> 2<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/openafs.xml,v 1.17 2004/09/22 11:42:11 swift Exp $ -->
3 3
4<!DOCTYPE guide SYSTEM "/dtd/guide.dtd"> 4<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
5 5
6<guide link = "/doc/en/openafs.xml"> 6<guide link = "/doc/en/openafs.xml">
7<title>Gentoo Linux OpenAFS Guide</title> 7<title>Gentoo Linux OpenAFS Guide</title>
12 <mail link="bennyc@gentoo.org">Benny Chuang</mail> 12 <mail link="bennyc@gentoo.org">Benny Chuang</mail>
13</author> 13</author>
14<author title="Editor"> 14<author title="Editor">
15 <mail link="blubber@gentoo.org">Tiemo Kieft</mail> 15 <mail link="blubber@gentoo.org">Tiemo Kieft</mail>
16</author> 16</author>
17<author title="Editor">
18 <mail link="fnjordy@gmail.com">Steven McCoy</mail>
19</author>
17 20
18<abstract> 21<abstract>
19This guide shows you how to install a openafs server and client on gentoo linux 22This guide shows you how to install a openafs server and client on gentoo linux
20</abstract> 23</abstract>
21 24
22<license/> 25<license/>
23 26
24<version>0.6</version> 27<version>0.7</version>
25<date>September 09, 2004</date> 28<date>September 22, 2004</date>
26 29
27<chapter> 30<chapter>
28 <title>Overview</title> 31 <title>Overview</title>
29 <section> 32 <section>
30 <title>About this Document</title> 33 <title>About this Document</title>
551 </section> 554 </section>
552 555
553</chapter> 556</chapter>
554 557
555<chapter> 558<chapter>
556 <title>Basic Administration</title> 559<title>Basic Administration</title>
557 <section> 560<section>
558 <title></title> 561<title>Disclaimer</title>
559 <body> 562<body>
560 <p>To be done ... For now read the AFS Documentation :)</p> 563
564<p>
565OpenAFS is an extensive technology. Please read the AFS documentation for more
566information. We only list a few administrative tasks in this chapter.
567</p>
568
561 </body> 569</body>
562 </section> 570</section>
571<section>
572<title>Configuring PAM to Acquire an AFS Token on Login</title>
573<body>
574
575<p>
576To use AFS you need to authenticate against the KA Server if using
577an implementation AFS Kerberos 4, or against a Kerberos 5 KDC if using
578MIT, Heimdal, or ShiShi Kerberos 5. However in order to login to a
579machine you will also need a user account, this can be local in
580/etc/passwd, NIS, LDAP (OpenLDAP), or a Hesiod database. PAM allows
581Gentoo to tie the authentication against AFS and login to the user
582account.
583</p>
584
585<p>
586You will need to update /etc/pam.d/system-auth which is used by the
587other configurations. "use_first_pass" indicates it will be checked
588first against the user login, and "ignore_root" stops the local super
589user being checked so as to order to allow login if AFS or the network
590fails.
591</p>
592
593<pre caption="/etc/pam.d/system-auth">
594auth required /lib/security/pam_env.so
595auth sufficient /lib/security/pam_unix.so likeauth nullok
596auth sufficient /usr/afsws/lib/pam_afs.so.1 use_first_pass ignore_root
597auth required /lib/security/pam_deny.so
598
599account required /lib/security/pam_unix.so
600
601password required /lib/security/pam_cracklib.so retry=3
602password sufficient /lib/security/pam_unix.so nullok md5 shadow use_authtok
603password required /lib/security/pam_deny.so
604
605session required /lib/security/pam_limits.so
606session required /lib/security/pam_unix.so
607</pre>
608
609<p>
610In order for sudo to keep the real user's token and to prevent local
611users gaining AFS access change /etc/pam.d/su as follows:
612</p>
613
614<pre caption="/etc/pam.d/su">
615<comment># Here, users with uid &gt; 100 are considered to belong to AFS and users with
616# uid &lt;= 100 are ignored by pam_afs.</comment>
617auth sufficient /usr/afsws/lib/pam_afs.so.1 ignore_uid 100
618
619auth sufficient /lib/security/pam_rootok.so
620
621<comment># If you want to restrict users begin allowed to su even more,
622# create /etc/security/suauth.allow (or to that matter) that is only
623# writable by root, and add users that are allowed to su to that
624# file, one per line.
625#auth required /lib/security/pam_listfile.so item=ruser \
626# sense=allow onerr=fail file=/etc/security/suauth.allow
627
628# Uncomment this to allow users in the wheel group to su without
629# entering a passwd.
630#auth sufficient /lib/security/pam_wheel.so use_uid trust
631
632# Alternatively to above, you can implement a list of users that do
633# not need to supply a passwd with a list.
634#auth sufficient /lib/security/pam_listfile.so item=ruser \
635# sense=allow onerr=fail file=/etc/security/suauth.nopass
636
637# Comment this to allow any user, even those not in the 'wheel'
638# group to su</comment>
639auth required /lib/security/pam_wheel.so use_uid
640
641auth required /lib/security/pam_stack.so service=system-auth
642
643account required /lib/security/pam_stack.so service=system-auth
644
645password required /lib/security/pam_stack.so service=system-auth
646
647session required /lib/security/pam_stack.so service=system-auth
648session optional /lib/security/pam_xauth.so
649
650<comment># Here we prevent the real user id's token from being dropped</comment>
651session optional /usr/afsws/lib/pam_afs.so.1 no_unlog
652</pre>
653
654</body>
655</section>
563</chapter> 656</chapter>
657
564</guide> 658</guide>
Legend:
Removed from v.1.16  
changed lines
  Added in v.1.17
  ViewVC Help
Powered by ViewVC 1.1.13