/[gentoo]/xml/htdocs/doc/en/openafs.xml
Gentoo

Contents of /xml/htdocs/doc/en/openafs.xml

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.17 - (show annotations) (download) (as text)
Wed Sep 22 11:42:11 2004 UTC (9 years, 7 months ago) by swift
Branch: MAIN
Changes since 1.16: +104 -10 lines
File MIME type: application/xml
Add bits about PAM <-> AFS

1 <?xml version='1.0' encoding="UTF-8"?>
2 <!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/openafs.xml,v 1.16 2004/09/20 09:49:07 neysx Exp $ -->
3
4 <!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
5
6 <guide link = "/doc/en/openafs.xml">
7 <title>Gentoo Linux OpenAFS Guide</title>
8 <author title="Editor">
9 <mail link="darks@gentoo.org">Holger Brueckner</mail>
10 </author>
11 <author title="Editor">
12 <mail link="bennyc@gentoo.org">Benny Chuang</mail>
13 </author>
14 <author title="Editor">
15 <mail link="blubber@gentoo.org">Tiemo Kieft</mail>
16 </author>
17 <author title="Editor">
18 <mail link="fnjordy@gmail.com">Steven McCoy</mail>
19 </author>
20
21 <abstract>
22 This guide shows you how to install a openafs server and client on gentoo linux
23 </abstract>
24
25 <license/>
26
27 <version>0.7</version>
28 <date>September 22, 2004</date>
29
30 <chapter>
31 <title>Overview</title>
32 <section>
33 <title>About this Document</title>
34 <body>
35 <p>This document provides you with all neccessary steps to install an openafs server on Gentoo Linux.
36 Parts of this document are taken from the AFS FAQ and IBM's Quick Beginnings guide on AFS. Well, never reinvent
37 the wheel :)</p>
38 </body>
39 </section>
40 <section>
41 <title>What is AFS ?</title>
42 <body>
43
44 <p>
45 AFS is a distributed filesystem that enables co-operating hosts
46 (clients and servers) to efficiently share filesystem resources
47 across both local area and wide area networks. Clients hold a
48 cache for often used objects (files), to get quicker
49 access to them.
50 </p>
51 <p>
52 AFS is based on a distributed file system originally developed
53 at the Information Technology Center at Carnegie-Mellon University
54 that was called the "Andrew File System". "Andrew" was the name of the research project at CMU - honouring the
55 founders of the University. Once Transarc was formed and AFS became a
56 product, the "Andrew" was dropped to indicate that AFS had gone beyond
57 the Andrew research project and had become a supported, product quality
58 filesystem. However, there were a number of existing cells that rooted
59 their filesystem as /afs. At the time, changing the root of the filesystem
60 was a non-trivial undertaking. So, to save the early AFS sites from having
61 to rename their filesystem, AFS remained as the name and filesystem root.
62 </p>
63 </body>
64 </section>
65 <section>
66 <title>What is an AFS cell ?</title>
67 <body>
68 <p>An AFS cell is a collection of servers grouped together administratively
69 and presenting a single, cohesive filesystem. Typically, an AFS cell is a set of
70 hosts that use the same Internet domain name (like for example gentoo.org)
71 Users log into AFS client workstations which request information and files
72 from the cell's servers on behalf of the users. Users won't know on which server
73 a file which they are accessing, is located. They even won't notice if a server
74 will be located to another room, since every volume can be replicated and moved
75 to another server without any user noticing. The files are always accessable.
76 Well it's like NFS on steroids :)
77 </p>
78 </body>
79 </section>
80 <section>
81 <title>What are the benefits of using AFS ?</title>
82 <body>
83 <p>The main strengths of AFS are its:
84
85 caching facility (on client side, typically 100M to 1GB),
86 security features (Kerberos 4 based, access control lists),
87 simplicity of addressing (you just have one filesystem),
88 scalability (add further servers to your cell as needed),
89 communications protocol.
90 </p>
91 </body>
92 </section>
93 <section>
94 <title>Where can i get more information ?</title>
95 <body>
96 <p>
97 Read the <uri link="http://www.angelfire.com/hi/plutonic/afs-faq.html">AFS FAQ</uri>.
98 </p>
99 <p>
100 Openafs main page is at <uri link="http://www.openafs.org">www.openafs.org</uri>.
101 </p>
102 <p>
103 AFS was originally developed by Transarc which is now owned by IBM.
104 You can find some information about AFS on
105 <uri link="http://www.transarc.ibm.com/Product/EFS/AFS/index.html">Transarcs Webpage</uri>
106 </p>
107 </body>
108 </section>
109
110 </chapter>
111
112 <chapter>
113 <title>Documentation</title>
114 <section>
115 <title>Getting AFS Documentation</title>
116 <body>
117 <p>
118 You can get the original IBM AFS Documentation. It is very well written and you
119 really want
120 read it if it is up to you to administer a AFS Server.
121 </p>
122 <pre>
123 # <i>emerge app-doc/afsdoc</i>
124 </pre>
125 </body>
126 </section>
127 </chapter>
128
129 <chapter>
130 <title>Client Installation</title>
131 <section>
132 <title>Preliminary Work</title>
133 <body>
134 <note>
135 All commands should be written in one line !! In this document they are
136 sometimes wrapped to two lines to make them easier to read.
137 </note>
138 <note>
139 Unfortunately the AFS Client needs a ext2 partiton for it's cache to run
140 correctly, because there are some locking issues with reiserfs. You need to
141 create a ext2 partition of approx. 200MB (more won't hurt) and mount it to
142 <path>/usr/vice/cache</path>
143 </note>
144 <p>
145 You should adjust the two files CellServDB and ThisCell before you build the
146 afs client. (These files are in <path>/usr/portage/net-fs/openafs/files</path>)
147 </p>
148 <pre>
149 CellServDB:
150 >netlabs #Cell name
151 10.0.0.1 #storage
152
153 ThisCell:
154 netlabs
155 </pre>
156
157 <warn>
158 Only use spaces inside the <path>CellServDB</path> file. The client will most
159 likely fail if you use TABs.
160 </warn>
161
162 <p>
163 CellServDB tells your client which server(s) he needs to contact for a
164 specific cell. ThisCell should be quite obvious. Normally you use a name
165 which is unique for your organisation. Your (official) domain might be a
166 good choice.
167 </p>
168 </body>
169 </section>
170 <section>
171 <title>Building the Client</title>
172 <body>
173 <pre>
174 # <i>emerge net-fs/openafs</i>
175 </pre>
176 <p>
177 After successful compilation you're ready to go.
178 </p>
179 </body>
180 </section>
181 <section>
182 <title>Starting afs on startup</title>
183 <body>
184 <p>
185 The following command will create the appropriate links to start your afs client
186 on system startup.
187 </p>
188 <warn>
189 You should always have a running afs server in your domain when trying to start the afs client. You're system won't boot
190 until it gets some timeout if your afs server is down. (and this is quite a long long time)
191 </warn>
192 <pre>
193 # <i>rc-update add afs default</i>
194 </pre>
195 </body>
196 </section>
197 </chapter>
198
199 <chapter>
200 <title>Server Installation</title>
201 <section>
202 <title>Building the Server</title>
203 <body>
204 <p>
205 The following command will install all necessary binaries for setting up a AFS Server
206 <e>and</e> Client.
207 </p>
208 <pre>
209 # <i>emerge net-fs/openafs</i>
210 </pre>
211 </body>
212 </section>
213 <section>
214 <title>Starting AFS Server</title>
215 <body>
216 <p>
217 You need to remove the sample CellServDB and ThisCell file first.
218 </p>
219 <pre>
220 # <i>rm /usr/vice/etc/ThisCell</i>
221 # <i>rm /usr/vice/etc/CellServDB</i>
222 </pre>
223 <p>
224 Next you will run the <b>bosserver</b> command to initialize the Basic OverSeer (BOS)
225 Server, which monitors and controls other AFS server processes on its server
226 machine. Think of it as init for the system. Include the <b>-noauth</b>
227 flag to disable authorization checking, since you haven't added the admin user yet.
228 </p>
229 <warn>
230 Disabling authorization checking gravely compromises cell security.
231 You must complete all subsequent steps in one uninterrupted pass
232 and must not leave the machine unattended until you restart the BOS Server with
233 authorization checking enabled. Well this is what the AFS documentation says :)
234 </warn>
235 <pre>
236 # <i>/usr/afs/bin/bosserver -noauth &amp;</i>
237 </pre>
238 <p>
239 Verify that the BOS Server created <path>/usr/vice/etc/CellServDB</path>
240 and <path>/usr/vice/etc/ThisCell</path>
241 </p>
242 <pre>
243 # <i>ls -al /usr/vice/etc/</i>
244 -rw-r--r-- 1 root root 41 Jun 4 22:21 CellServDB
245 -rw-r--r-- 1 root root 7 Jun 4 22:21 ThisCell
246 </pre>
247
248 </body>
249 </section>
250 <section>
251 <title>Defining Cell Name and Membership for Server Process</title>
252 <body>
253 <p>
254 Now assign your cells name.
255 </p>
256 <impo>There are some restrictions on the name format.
257 Two of the most important restrictions are that the name
258 cannot include uppercase letters or more than 64 characters. Remember that
259 your cell name will show up under <path>/afs</path>, so you might want to choose
260 a short one.</impo>
261 <note>In the following and every instruction in this guide, for the &lt;server name&gt;
262 argument substitute the full-qualified hostname
263 (such as <b>afs.gentoo.org</b>) of the machine you are installing.
264 For the &lt;cell name&gt;
265 argument substitute your cell's complete name (such as <b>gentoo</b>)</note>
266 <p>
267 Run the <b>bos setcellname</b> command to set the cell name:
268 </p>
269 <pre>
270 # <i>/usr/afs/bin/bos setcellname &lt;server name&gt; &lt;cell name&gt; -noauth</i>
271 </pre>
272 </body>
273 </section>
274 <section>
275 <title>Starting the Database Server Process</title>
276 <body><p>
277 Next use the <b>bos create</b> command to create entries for the four database
278 server processes in the
279 <path>/usr/afs/local/BosConfig</path> file. The four processes run on database
280 server machines only.
281 </p>
282
283 <table>
284 <tr>
285 <ti>kaserver</ti>
286 <ti>The Authentication Server maintains the Authentication Database.
287 This can be replaced by a Kerberos 5 daemon. If anybody want's to try that
288 feel free to update this document :)</ti>
289 </tr>
290 <tr>
291 <ti>buserver</ti>
292 <ti>The Backup Server maintains the Backup Database</ti>
293 </tr>
294 <tr>
295 <ti>ptserver</ti>
296 <ti>The Protection Server maintains the Protection Database</ti>
297 </tr>
298 <tr>
299 <ti>vlserver</ti>
300 <ti>The Volume Location Server maintains the Volume Location Database (VLDB).
301 Very important :)</ti>
302 </tr>
303 </table>
304 <pre>
305 # <i>/usr/afs/bin/bos create &lt;server name&gt; kaserver simple
306 /usr/afs/bin/kaserver -cell &lt;cell name&gt; -noauth</i>
307 # <i>/usr/afs/bin/bos create &lt;server name&gt; buserver simple
308 /usr/afs/bin/buserver -cell &lt;cell name&gt; -noauth</i>
309 # <i>/usr/afs/bin/bos create &lt;server name&gt; ptserver simple
310 /usr/afs/bin/ptserver -cell &lt;cell name&gt; -noauth</i>
311 # <i>/usr/afs/bin/bos create &lt;server name&gt; vlserver simple
312 /usr/afs/bin/vlserver -cell &lt;cell name&gt; -noauth</i>
313 </pre>
314 <p>
315 You can verify that all servers are running with the <b>bos status</b> command:
316 </p>
317 <pre>
318 # <i>/usr/afs/bin/bos status &lt;server name&gt; -noauth</i>
319 Instance kaserver, currently running normally.
320 Instance buserver, currently running normally.
321 Instance ptserver, currently running normally.
322 Instance vlserver, currently running normally.
323 </pre>
324
325 </body>
326 </section>
327 <section>
328 <title>Initializing Cell Security</title>
329 <body>
330 <p>
331 Now we'll initialize the cell's security mechanisms. We'll begin by creating the
332 following two initial entries in the
333 Authentication Database: The main administrative account, called <b>admin</b> by
334 convention and an entry for
335 the AFS server processes, called <b>afs</b>. No user logs in under the
336 identity <b>afs</b>, but the Authentication
337 Server's Ticket Granting Service (TGS) module uses the account
338 to encrypt the server tickets that it grants to AFS clients. This sounds
339 pretty much like Kerberos :)
340 </p>
341 <p>
342 Enter <b>kas</b> interactive mode
343 </p>
344 <pre>
345 # <i>/usr/afs/bin/kas -cell &lt;cell name&gt; -noauth</i>
346 ka&gt; <i>create afs</i>
347 initial_password:
348 Verifying, please re-enter initial_password:
349 ka&gt; <i>create admin</i>
350 initial_password:
351 Verifying, please re-enter initial_password:
352 ka&gt; <i>examine afs</i>
353
354 User data for afs
355 key (0) cksum is 2651715259, last cpw: Mon Jun 4 20:49:30 2001
356 password will never expire.
357 An unlimited number of unsuccessful authentications is permitted.
358 entry never expires. Max ticket lifetime 100.00 hours.
359 last mod on Mon Jun 4 20:49:30 2001 by $lt;none&gt;
360 permit password reuse
361 ka&gt; <i>setfields admin -flags admin</i>
362 ka&gt; <i>examine admin</i>
363
364 User data for admin (ADMIN)
365 key (0) cksum is 2651715259, last cpw: Mon Jun 4 20:49:59 2001
366 password will never expire.
367 An unlimited number of unsuccessful authentications is permitted.
368 entry never expires. Max ticket lifetime 25.00 hours.
369 last mod on Mon Jun 4 20:51:10 2001 by $lt;none&gt;
370 permit password reuse
371 ka&gt;
372 </pre>
373 <p>
374 Run the <b>bos adduser</b> command, to add the <b>admin</b> user to
375 the <path>/usr/afs/etc/UserList</path>.
376 </p>
377 <pre>
378 # <i>/usr/afs/bin/bos adduser &lt;server name&gt; admin -cell &lt;cell name&gt; -noauth</i>
379 </pre>
380 <p>
381 Issue the <b>bos addkey</b> command to define the AFS Server
382 encryption key in <path>/usr/afs/etc/KeyFile</path>
383 </p>
384 <note>
385 If asked for the input key, give the password you entered when creating
386 the afs entry with <b>kas</b>
387 </note>
388 <pre>
389 # <i>/usr/afs/bin/bos addkey &lt;server name&gt; -kvno 0 -cell &lt;cell name&gt; -noauth</i>
390 input key:
391 Retype input key:
392 </pre>
393 <p>
394 Issue the <b>pts createuser</b> command to create a Protection Database
395 entry for the admin user
396 </p>
397 <note>
398 By default, the Protection Server assigns AFS UID 1 to the <b>admin</b> user, because
399 it is the first user
400 entry you are creating. If the local password file (/etc/passwd or equivalent)
401 already has an entry for
402 <b>admin</b> that assigns a different UID use the <b>-id</b> argument
403 to create matching UID's
404 </note>
405 <pre>
406 # <i>/usr/afs/bin/pts createuser -name admin -cell &lt;cell name&gt; [-id &lt;AFS UID&gt;] -noauth</i>
407 </pre>
408 <p>
409 Issue the <b>pts adduser</b> command to make the <b>admin</b> user a member
410 of the system:administrators group,
411 and the <b>pts membership</b> command to verify the new membership
412 </p>
413 <pre>
414 # <i>/usr/afs/bin/pts adduser admin system:administrators -cell &lt;cell name&gt; -noauth</i>
415 # <i>/usr/afs/bin/pts membership admin -cell &lt;cell name&gt; -noauth</i>
416 Groups admin (id: 1) is a member of:
417 system:administrators
418 </pre>
419 <p>
420 Restart all AFS Server processes
421 </p>
422 <pre>
423 # <i>/usr/afs/bin/bos restart &lt;server name&gt; -all -cell &lt;cell name&gt; -noauth</i>
424 </pre>
425 </body>
426 </section>
427 <section>
428 <title>Starting the File Server, Volume Server and Salvager</title>
429 <body>
430 <p>
431 Start the <b>fs</b> process, which consists of the File Server, Volume Server and Salvager (fileserver,
432 volserver and salvager processes).
433 </p>
434 <pre>
435 # <i>/usr/afs/bin/bos create &lt;server name&gt; fs fs /usr/afs/bin/fileserver
436 /usr/afs/bin/volserver
437 /usr/afs/bin/salvager
438 -cell &lt;cell name&gt; -noauth</i>
439 </pre>
440 <p>
441 Verify that all processes are running
442 </p>
443 <pre>
444 # <i>/usr/afs/bin/bos status &lt;server name&gt; -long -noauth</i>
445 Instance kaserver, (type is simple) currently running normally.
446 Process last started at Mon Jun 4 21:07:17 2001 (2 proc starts)
447 Last exit at Mon Jun 4 21:07:17 2001
448 Command 1 is '/usr/afs/bin/kaserver'
449
450 Instance buserver, (type is simple) currently running normally.
451 Process last started at Mon Jun 4 21:07:17 2001 (2 proc starts)
452 Last exit at Mon Jun 4 21:07:17 2001
453 Command 1 is '/usr/afs/bin/buserver'
454
455 Instance ptserver, (type is simple) currently running normally.
456 Process last started at Mon Jun 4 21:07:17 2001 (2 proc starts)
457 Last exit at Mon Jun 4 21:07:17 2001
458 Command 1 is '/usr/afs/bin/ptserver'
459
460 Instance vlserver, (type is simple) currently running normally.
461 Process last started at Mon Jun 4 21:07:17 2001 (2 proc starts)
462 Last exit at Mon Jun 4 21:07:17 2001
463 Command 1 is '/usr/afs/bin/vlserver'
464
465 Instance fs, (type is fs) currently running normally.
466 Auxiliary status is: file server running.
467 Process last started at Mon Jun 4 21:09:30 2001 (2 proc starts)
468 Command 1 is '/usr/afs/bin/fileserver'
469 Command 2 is '/usr/afs/bin/volserver'
470 Command 3 is '/usr/afs/bin/salvager'
471 </pre>
472 <p>
473 Your next action depends on whether you have ever run AFS file server machines
474 in the cell:
475 </p>
476 <p>
477 If you are installing the first AFS Server ever in the cell create the
478 first AFS volume, <b>root.afs</b>
479 </p>
480 <note>
481 For the partition name argument, substitute the name of one of the machine's
482 AFS Server partitions. By convention
483 these partitions are named <path>/vicepx</path>, where x is in the range of a-z.
484 </note>
485 <pre>
486 # <i>/usr/afs/bin/vos create &lt;server name&gt;
487 &lt;partition name&gt; root.afs
488 -cell &lt;cell name&gt; -noauth</i>
489 </pre>
490 <p>
491 If there are existing AFS file server machines and volumes in the cell
492 issue the <b>vos sncvldb</b> and <b>vos
493 syncserv</b> commands to synchronize the VLDB (Volume Location Database) with
494 the actual state of volumes on the local machine. This will copy all necessary data to your
495 new server.
496 </p>
497 <p>
498 If the command fails with the message "partition /vicepa does not exist on
499 the server", ensure that the partition is mounted before running OpenAFS
500 servers, or mount the directory and restart the processes using
501 <c>/usr/afs/bin/bos restart &lt;server name&gt; -all -cell &lt;cell
502 name&gt; -noauth</c>.
503 </p>
504 <pre>
505 # <i>/usr/afs/bin/vos syncvldb &lt;server name&gt; -cell &lt;cell name&gt; -verbose -noauth</i>
506 # <i>/usr/afs/bin/vos syncserv &lt;server name&gt; -cell &lt;cell name&gt; -verbose -noauth</i>
507 </pre>
508 </body>
509 </section>
510 <section>
511 <title>Starting the Server Portion of the Update Server</title>
512 <body>
513 <pre>
514 # <i>/usr/afs/bin/bos create &lt;server name&gt;
515 upserver simple "/usr/afs/bin/upserver
516 -crypt /usr/afs/etc -clear /usr/afs/bin"
517 -cell &lt;cell name&gt; -noauth</i>
518 </pre>
519 </body>
520 </section>
521 <section>
522 <title>Configuring the Top Level of the AFS filespace</title>
523 <body>
524 <p>
525 First you need to set some acl's, so that any user can lookup <path>/afs</path>.
526 </p>
527 <pre>
528 # <i>/usr/afs/bin/fs setacl /afs system:anyuser rl</i>
529 </pre>
530 <p>
531 Then you need to create the root volume, mount it readonly on <path>/afs/&lt;cell name&gt;</path> and read/write
532 on <path>/afs/.&lt;cell name&gt;</path>
533 </p>
534 <pre>
535 # <i>/usr/afs/bin/vos create &lt;server name&gt;&lt;partition name&gt; root.cell</i>
536 # <i>/usr/afs/bin/fs mkmount /afs/&lt;cell name&gt; root.cell </i>
537 # <i>/usr/afs/bin/fs setacl /afs/&lt;cell name&gt; system:anyuser rl</i>
538 # <i>/usr/afs/bin/fs mkmount /afs/.&lt;cell name&gt; root.cell -rw</i>
539 </pre>
540 <p>
541 Finally you're done !!! You should now have a working AFS file server
542 on your local network. Time to get a big
543 cup of coffee and print out the AFS documentation !!!
544 </p>
545 <note>
546 It is very important for the AFS server to function properly, that all system
547 clock's are synchronized.
548 This is best
549 accomplished by installing a ntp server on one machine (e.g. the AFS server)
550 and synchronize all client clock's
551 with the ntp client. This can also be done by the afs client.
552 </note>
553 </body>
554 </section>
555
556 </chapter>
557
558 <chapter>
559 <title>Basic Administration</title>
560 <section>
561 <title>Disclaimer</title>
562 <body>
563
564 <p>
565 OpenAFS is an extensive technology. Please read the AFS documentation for more
566 information. We only list a few administrative tasks in this chapter.
567 </p>
568
569 </body>
570 </section>
571 <section>
572 <title>Configuring PAM to Acquire an AFS Token on Login</title>
573 <body>
574
575 <p>
576 To use AFS you need to authenticate against the KA Server if using
577 an implementation AFS Kerberos 4, or against a Kerberos 5 KDC if using
578 MIT, Heimdal, or ShiShi Kerberos 5. However in order to login to a
579 machine you will also need a user account, this can be local in
580 /etc/passwd, NIS, LDAP (OpenLDAP), or a Hesiod database. PAM allows
581 Gentoo to tie the authentication against AFS and login to the user
582 account.
583 </p>
584
585 <p>
586 You will need to update /etc/pam.d/system-auth which is used by the
587 other configurations. "use_first_pass" indicates it will be checked
588 first against the user login, and "ignore_root" stops the local super
589 user being checked so as to order to allow login if AFS or the network
590 fails.
591 </p>
592
593 <pre caption="/etc/pam.d/system-auth">
594 auth required /lib/security/pam_env.so
595 auth sufficient /lib/security/pam_unix.so likeauth nullok
596 auth sufficient /usr/afsws/lib/pam_afs.so.1 use_first_pass ignore_root
597 auth required /lib/security/pam_deny.so
598
599 account required /lib/security/pam_unix.so
600
601 password required /lib/security/pam_cracklib.so retry=3
602 password sufficient /lib/security/pam_unix.so nullok md5 shadow use_authtok
603 password required /lib/security/pam_deny.so
604
605 session required /lib/security/pam_limits.so
606 session required /lib/security/pam_unix.so
607 </pre>
608
609 <p>
610 In order for sudo to keep the real user's token and to prevent local
611 users gaining AFS access change /etc/pam.d/su as follows:
612 </p>
613
614 <pre caption="/etc/pam.d/su">
615 <comment># Here, users with uid &gt; 100 are considered to belong to AFS and users with
616 # uid &lt;= 100 are ignored by pam_afs.</comment>
617 auth sufficient /usr/afsws/lib/pam_afs.so.1 ignore_uid 100
618
619 auth sufficient /lib/security/pam_rootok.so
620
621 <comment># If you want to restrict users begin allowed to su even more,
622 # create /etc/security/suauth.allow (or to that matter) that is only
623 # writable by root, and add users that are allowed to su to that
624 # file, one per line.
625 #auth required /lib/security/pam_listfile.so item=ruser \
626 # sense=allow onerr=fail file=/etc/security/suauth.allow
627
628 # Uncomment this to allow users in the wheel group to su without
629 # entering a passwd.
630 #auth sufficient /lib/security/pam_wheel.so use_uid trust
631
632 # Alternatively to above, you can implement a list of users that do
633 # not need to supply a passwd with a list.
634 #auth sufficient /lib/security/pam_listfile.so item=ruser \
635 # sense=allow onerr=fail file=/etc/security/suauth.nopass
636
637 # Comment this to allow any user, even those not in the 'wheel'
638 # group to su</comment>
639 auth required /lib/security/pam_wheel.so use_uid
640
641 auth required /lib/security/pam_stack.so service=system-auth
642
643 account required /lib/security/pam_stack.so service=system-auth
644
645 password required /lib/security/pam_stack.so service=system-auth
646
647 session required /lib/security/pam_stack.so service=system-auth
648 session optional /lib/security/pam_xauth.so
649
650 <comment># Here we prevent the real user id's token from being dropped</comment>
651 session optional /usr/afsws/lib/pam_afs.so.1 no_unlog
652 </pre>
653
654 </body>
655 </section>
656 </chapter>
657
658 </guide>

  ViewVC Help
Powered by ViewVC 1.1.20