<itemizedlist>
<listitem>
<para>
- <link linkend="KAS012">Enabling AFS Login on AIX Systems</link>
- </para>
- </listitem>
- <listitem>
- <para>
- <link linkend="KAS013">Enabling AFS Login on HP-UX Systems</link>
- </para>
- </listitem>
- <listitem>
- <para>
- <link linkend="KAS014">Enabling AFS Login on IRIX Systems</link>
- </para>
- </listitem>
- <listitem>
- <para>
<link linkend="KAS015">Enabling AFS Login on Linux Systems</link>
</para>
</listitem>
</itemizedlist>
</para>
</sect2>
- <sect2 id="KAS012">
- <title>Enabling kaserver based AFS login</title>
-
- <para>Now incorporate AFS into the AIX secondary authentication system.
- <orderedlist>
- <listitem>
- <para>Issue the <emphasis role="bold">ls</emphasis> command to
- verify that the <emphasis role="bold">afs_dynamic_auth</emphasis>
- and <emphasis role="bold">afs_dynamic_kerbauth</emphasis>
- programs are installed in the local
- <emphasis role="bold">/usr/vice/etc</emphasis> directory.
-<programlisting>
- # <emphasis role="bold">ls /usr/vice/etc</emphasis>
-</programlisting>
- </para>
-
- <para>If the files do not exist, unpack the
- OpenAFS Binary Distribution for AIX (if it is not already),
- change directory as indicated, and copy them.</para>
-
-<programlisting>
- # <emphasis role="bold">cd /tmp/afsdist/rs_aix42/dest/root.client/usr/vice/etc</emphasis>
- # <emphasis role="bold">cp -p afs_dynamic* /usr/vice/etc</emphasis>
-</programlisting>
- </listitem>
-
- <listitem>
- <para>Edit the local
- <emphasis role="bold">/etc/security/user</emphasis> file, making
- changes to the indicated stanzas:
- <itemizedlist>
- <listitem>
- <para>In the default stanza, set the
- <computeroutput>registry</computeroutput> attribute to
- <emphasis role="bold">DCE</emphasis> (not to
- <emphasis role="bold">AFS</emphasis>), as follows:
-<programlisting>
- registry = DCE
-</programlisting>
- </para>
- </listitem>
-
- <listitem>
- <para>In the default stanza, set the
- <computeroutput>SYSTEM</computeroutput> attribute as
- indicated.</para>
-
- <para>If the machine is an AFS client only, set the
- following value:</para>
-<programlisting>
- SYSTEM = "AFS OR (AFS[UNAVAIL] AND compat[SUCCESS])"
-</programlisting>
-
- <para>If the machine is both an AFS and a DCE client,
- set the following value (it must appear on a single line in
- the file):</para>
-<programlisting>
- SYSTEM = "DCE OR DCE[UNAVAIL] OR AFS OR (AFS[UNAVAIL] \
- AND compat[SUCCESS])"
-</programlisting>
- </listitem>
-
- <listitem>
- <para>In the <computeroutput>root</computeroutput>
- stanza, set the <computeroutput>registry</computeroutput>
- attribute as follows. It enables the local superuser
- <emphasis role="bold">root</emphasis> to log into the local
- file system only, based on the password listed in the
- local password file.
-<programlisting>
- root:
- registry = files
-</programlisting>
- </para>
- </listitem>
- </itemizedlist>
- </para>
- </listitem>
-
- <listitem>
- <para>Edit the local
- <emphasis role="bold">/etc/security/login.cfg</emphasis> file,
- creating or editing the indicated stanzas:
- <itemizedlist>
- <listitem>
- <para>In the <computeroutput>DCE</computeroutput> stanza,
- set the <computeroutput>program</computeroutput>
- attribute as follows.</para>
-
- <para>If you use the AFS Authentication Server
- (<emphasis role="bold">kaserver</emphasis> process):</para>
-<programlisting>
- DCE:
- program = /usr/vice/etc/afs_dynamic_auth
-</programlisting>
-
- <para>If you use a Kerberos v4 implementation of AFS
- authentication:</para>
-
-<programlisting>
- DCE:
- program = /usr/vice/etc/afs_dynamic_kerbauth
-</programlisting>
- </listitem>
-
- <listitem>
- <para>In the <computeroutput>AFS</computeroutput> stanza,
- set the <computeroutput>program</computeroutput>
- attribute as follows.</para>
-
- <para>If you use the AFS Authentication Server
- (<emphasis role="bold">kaserver</emphasis> process):</para>
-<programlisting>
- AFS:
- program = /usr/vice/etc/afs_dynamic_auth
-</programlisting>
-
- <para>If you use a Kerberos v4 implementation of AFS
- authentication:</para>
-<programlisting>
- AFS:
- program = /usr/vice/etc/afs_dynamic_kerbauth
-</programlisting>
- </listitem>
- </itemizedlist>
- </para>
- </listitem>
- <listitem>
- <para>Proceed to
- <link linkend="HDRWQ50">Starting the BOS Server</link>,
- if you are installing your first file server machine;
- <link linkend="HDRWQ108">Starting Server Programs</link>,
- if you are installing an additional file server machine; or
- <link linkend="HDRWQ145">Loading and Creating Client Files</link>
- if you are installating a client</para>
- </listitem>
- </orderedlist>
- </para>
- </sect2>
- <sect2 id="KAS013">
- <title>Enabling kaserver based AFS Login on HP-UX systems</title>
-
- <para>At this point you incorporate AFS into the operating system's
- Pluggable Authentication Module (PAM) scheme. PAM integrates all
- authentication mechanisms on the machine, including login, to provide
- the security infrastructure for authenticated access to and from the
- machine.</para>
-
- <para>Explaining PAM is beyond the scope of this document. It is
- assumed that you understand the syntax and meanings of settings in the
- PAM configuration file (for example, how the
- <computeroutput>other</computeroutput> entry works, the effect of
- marking an entry as <computeroutput>required</computeroutput>,
- <computeroutput>optional</computeroutput>, or
- <computeroutput>sufficient</computeroutput>, and so on).</para>
-
- <para>The following instructions explain how to alter the entries in
- the PAM configuration file for each service for which you
- wish to use AFS authentication. Other configurations possibly also
- work, but the instructions specify the recommended and
- tested configuration.</para>
-
- <note>
- <para>The instructions specify that you mark each entry as
- <computeroutput>optional</computeroutput>. However, marking some
- modules as optional can mean that they grant access to the
- corresponding service even when the user does not meet all of the
- module's requirements. In some operating system revisions, for
- example, if you mark as optional the module that controls
- login via a dial-up connection, it allows users to login without
- providing a password. See the <emphasis>OpenAFS Release
- Notes</emphasis> for a discussion of any limitations that apply to
- this operating system.</para>
-
- <para>Also, with some operating system versions you must install
- patches for PAM to interact correctly with certain
- authentication programs. For details, see the
- <emphasis>OpenAFS Release Notes</emphasis>.</para>
- </note>
-
- <para>The recommended AFS-related entries in the PAM configuration
- file make use of one or more of the following three
- attributes.
- <variablelist>
- <varlistentry>
- <term><emphasis role="bold"><computeroutput>try_first_pass</computeroutput></emphasis></term>
-
- <listitem>
- <para>This is a standard PAM attribute that can be included on
- entries after the first one for a service; it directs
- the module to use the password that was provided to the first
- module. For the AFS module, it means that AFS
- authentication succeeds if the password provided to the module
- listed first is the user's correct AFS password. For
- further discussion of this attribute and its alternatives, see
- the operating system's PAM documentation.</para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term><emphasis role="bold"><computeroutput>ignore_root</computeroutput></emphasis></term>
-
- <listitem>
- <para>This attribute, specific to the AFS PAM module, directs it
- to ignore not only the local superuser <emphasis
- role="bold">root</emphasis>, but also any user with UID 0
- (zero).</para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term><emphasis role="bold"><computeroutput>setenv_password_expires</computeroutput></emphasis></term>
-
- <listitem>
- <para>This attribute, specific to the AFS PAM module, sets the
- environment variable PASSWORD_EXPIRES to the expiration
- date of the user's AFS password, which is recorded in the
- Authentication Database.</para>
- </listitem>
- </varlistentry>
- </variablelist>
- </para>
-
- <para>Perform the following steps to enable AFS login.
- <orderedlist>
- <listitem>
- <para>Unpack the OpenAFS Binary Distribution for HP-UX into the
- <emphasis role="bold">/tmp/afsdist</emphasis> directory, if it is
- not already.
- Then change directory as indicated.
-<programlisting>
- # <emphasis role="bold">cd /usr/lib/security</emphasis>
-</programlisting></para>
- </listitem>
-
- <listitem>
- <para>Copy the AFS authentication library file to the
- <emphasis role="bold">/usr/lib/security</emphasis> directory. Then
- create a symbolic link to it whose name does not mention the
- version. Omitting the version eliminates the need to edit
- the PAM configuration file if you later update the library
- file.</para>
-
- <para>If you use the AFS Authentication Server
- (<emphasis role="bold">kaserver</emphasis> process) in the cell:</para>
-
-<programlisting>
- # <emphasis role="bold">cp /tmp/afsdist/hp_ux110/dest/lib/pam_afs.so.1 .</emphasis>
- # <emphasis role="bold">ln -s pam_afs.so.1 pam_afs.so</emphasis>
-</programlisting>
-
- <para>If you use a Kerberos implementation of AFS authentication:</para>
-
-<programlisting>
- # <emphasis role="bold">cp /tmp/afsdist/hp_ux110/dest/lib/pam_afs.krb.so.1 .</emphasis>
- # <emphasis role="bold">ln -s pam_afs.krb.so.1 pam_afs.so</emphasis>
-</programlisting>
- </listitem>
-
- <listitem>
- <para>Edit the
- <computeroutput>Authentication management</computeroutput>
- section of the HP-UX PAM configuration file,
- <emphasis role="bold">/etc/pam.conf</emphasis> by convention. The
- entries in this section have the value
- <computeroutput>auth</computeroutput> in their second field.</para>
-
- <para>First edit the standard entries, which refer to the
- HP-UX PAM module (usually, the file <emphasis
- role="bold">/usr/lib/security/libpam_unix.1</emphasis>) in their
- fourth field. For each service for which you want to
- use AFS authentication, edit the third field of its entry to read
- <computeroutput>optional</computeroutput>. The
- <emphasis role="bold">pam.conf</emphasis> file in the HP-UX
- distribution usually includes standard entries for the
- <emphasis role="bold">login</emphasis> and
- <emphasis role="bold">ftp</emphasis> services, for instance.</para>
-
- <para>If there are services for which you want to use AFS
- authentication, but for which the <emphasis
- role="bold">pam.conf</emphasis> file does not already include a
- standard entry, you must create that entry and place the
- value <computeroutput>optional</computeroutput> in its third field.
- For instance, the HP-UX <emphasis role="bold">pam.conf</emphasis>
- file does not usually include standard entries for the <emphasis
- role="bold">remsh</emphasis> or
- <emphasis role="bold">telnet</emphasis> services.</para>
-
- <para>Then create an AFS-related entry for each service, placing it
- immediately below the standard entry. The following
- example shows what the
- <computeroutput>Authentication Management</computeroutput> section
- looks like after you have you
- edited or created entries for the services mentioned previously.
- Note that the example AFS entries appear on two lines
- only for legibility.</para>
-
-<programlisting>
- login auth optional /usr/lib/security/libpam_unix.1
- login auth optional /usr/lib/security/pam_afs.so \
- try_first_pass ignore_root setenv_password_expires
- ftp auth optional /usr/lib/security/libpam_unix.1
- ftp auth optional /usr/lib/security/pam_afs.so \
- try_first_pass ignore_root
- remsh auth optional /usr/lib/security/libpam_unix.1
- remsh auth optional /usr/lib/security/pam_afs.so \
- try_first_pass ignore_root
- telnet auth optional /usr/lib/security/libpam_unix.1
- telnet auth optional /usr/lib/security/pam_afs.so \
- try_first_pass ignore_root setenv_password_expires
-</programlisting>
- </listitem>
-
- <listitem>
- <para>If you use the Common Desktop Environment (CDE) on the
- machine and want users to obtain an AFS token as they log
- in, also add or edit the following four entries in the
- <computeroutput>Authentication management</computeroutput>
- section. Note that the AFS-related entries appear on two lines
- here only for legibility.
-<programlisting>
- dtlogin auth optional /usr/lib/security/libpam_unix.1
- dtlogin auth optional /usr/lib/security/pam_afs.so \
- try_first_pass ignore_root
- dtaction auth optional /usr/lib/security/libpam_unix.1
- dtaction auth optional /usr/lib/security/pam_afs.so \
- try_first_pass ignore_root
-</programlisting></para>
- </listitem>
-
- <listitem>
- <para>Proceed to
- <link linkend="HDRWQ50">Starting the BOS Server</link> if you
- are installing your first file server;
- <link linkend="HDRWQ108">Starting Server Programs</link> if you
- are installing an additional file server machine; or
- <link linkend="HDRWQ145">Loading and Creating Client Files.</link>
- if you are installing a client.</para>
- </listitem>
- </orderedlist>
- </para>
- </sect2>
- <sect2 id="KAS014">
- <title>Enabling kaserver based AFS Login on IRIX Systems</title>
-
- <para>The standard IRIX command-line
- <emphasis role="bold">login</emphasis> program and the graphical
- <emphasis role="bold">xdm</emphasis> login program both automatically
- grant an AFS token when AFS is incorporated into the machine's
- kernel. However, some IRIX distributions use another login utility by
- default, and it does not necessarily incorporate the required AFS
- modifications. If that is the case, you must disable the default
- utility if you want AFS users to obtain AFS tokens at login. For
- further discussion, see the
- <emphasis>OpenAFS Release Notes</emphasis>.</para>
-
- <para>If you configure the machine to use an AFS-modified login
- utility, then the <emphasis role="bold">afsauthlib.so</emphasis> and
- <emphasis role="bold">afskauthlib.so</emphasis> files (included in the
- AFS distribution) must reside in the
- <emphasis role="bold">/usr/vice/etc</emphasis> directory. Issue the
- <emphasis role="bold">ls</emphasis> command to verify.</para>
-
-<programlisting>
- # <emphasis role="bold">ls /usr/vice/etc</emphasis>
-</programlisting>
-
- <para>If the files do not exist, unpack the OpenAFS Binary Distribution
- for IRIX (if it is not already), change directory as indicated, and copy
- them.</para>
-
-<programlisting>
- # <emphasis role="bold">cd /tmp/afsdist/sgi_65/dest/root.client/usr/vice/etc</emphasis>
- # <emphasis role="bold">cp -p *authlib* /usr/vice/etc</emphasis>
-</programlisting>
-
- <para>After taking any necessary action, proceed to
- <link linkend="HDRWQ50">Starting the BOS Server</link> if you
- are installing your first file server;
- <link linkend="HDRWQ108">Starting Server Programs</link> if you
- are installing an additional file server machine; or
- <link linkend="HDRWQ145">Loading and Creating Client Files</link>
- if you are installing a client.</para>
- </sect2>
<sect2 id="KAS015">
<title>Enabling kaserver based AFS Login on Linux Systems</title>