AFS+C2

From: Lucio Strizzolo <lucio.strizzolo_at_trieste.infn.it>
Date: Wed, 03 Mar 1999 15:49:36 +0100

Hi,
   I have some problems setting up a system (Digital Unix 4.0C) using
NIS
(YP) + C2 (enhanced security) + AFS (Andrew file system).
The situation is a little messy, because some users of the system have
their own AFS accounts, with their own home directory that I need to
mount
as their homedir on the system. They need to be authenticated through
AFS
authentication. All the other users should be authenticated through C2.
All of the user accounts are registered through NIS.
Everything works fine for normal C2 users. People using AFS, however,
do not get authenticated at all.

Here's the situation:
# ls -la /etc/sia/matrix.conf
/etc/sia/matrix.conf -> AFS_matrix.conf

# cat /etc/sia/matrix.conf
siad_init=(AFS,/usr/shlib/libafssiad.so),(BSD,libc.so)
siad_chk_invoker=(AFS,/usr/shlib/libafssiad.so),(OSFC2,/usr/shlib/libsecurity.so
)
siad_ses_init=(AFS,/usr/shlib/libafssiad.so),(OSFC2,/usr/shlib/libsecurity.so)
siad_ses_authent=(AFS,/usr/shlib/libafssiad.so),(OSFC2,/usr/shlib/libsecurity.so
)
siad_ses_estab=(AFS,/usr/shlib/libafssiad.so),(OSFC2,/usr/shlib/libsecurity.so)
siad_ses_launch=(AFS,/usr/shlib/libafssiad.so),(OSFC2,/usr/shlib/libsecurity.so)
siad_ses_suauthent=(AFS,/usr/shlib/libafssiad.so),(OSFC2,/usr/shlib/libsecurity.
so)
siad_ses_reauthent=(AFS,/usr/shlib/libafssiad.so),(OSFC2,/usr/shlib/libsecurity.
so)
siad_chg_finger=(AFS,/usr/shlib/libafssiad.so),(OSFC2,/usr/shlib/libsecurity.so)
siad_chg_password=(AFS,/usr/shlib/libafssiad.so),(OSFC2,/usr/shlib/libsecurity.s
o)
siad_chg_shell=(AFS,/usr/shlib/libafssiad.so),(OSFC2,/usr/shlib/libsecurity.so)
siad_getpwent=(AFS,/usr/shlib/libafssiad.so),(BSD,libc.so)
siad_getpwuid=(AFS,/usr/shlib/libafssiad.so),(BSD,libc.so)
siad_getpwnam=(AFS,/usr/shlib/libafssiad.so),(BSD,libc.so)
siad_setpwent=(AFS,/usr/shlib/libafssiad.so),(BSD,libc.so)
siad_endpwent=(AFS,/usr/shlib/libafssiad.so),(BSD,libc.so)
siad_getgrent=(AFS,/usr/shlib/libafssiad.so),(BSD,libc.so)
siad_getgrgid=(AFS,/usr/shlib/libafssiad.so),(BSD,libc.so)
siad_getgrnam=(AFS,/usr/shlib/libafssiad.so),(BSD,libc.so)
siad_setgrent=(AFS,/usr/shlib/libafssiad.so),(BSD,libc.so)
siad_endgrent=(AFS,/usr/shlib/libafssiad.so),(BSD,libc.so)
siad_ses_release=(AFS,/usr/shlib/libafssiad.so),(OSFC2,/usr/shlib/libsecurity.so
)
siad_chk_user=(AFS,/usr/shlib/libafssiad.so),(OSFC2,/usr/shlib/libsecurity.so)

# edauth -g -dd default
default:\
       
:d_name=default:d_pw_expire_warning#3456000:d_pw_site_callout=/tcb/bin/p
wpolicy:d_boot_authenticate_at_:\
        :d_secclass=c2:\
       
:d_admin_preexpire_psw_at_:d_auto_migrate_users_at_:d_max_vacation_future#0:d_
max_vacation_duration#0:\
        :d_accept_alternate_vouching:\
       
:u_pwd=*:u_cmdpriv=boot,ping,printerstat,tape:u_syspriv=execsuid,chmodsu
gid:\
        :u_basepriv=execsuid,chmodsugid:\
        :u_minchg#0:u_minlen#6:u_maxlen#10:u_exp#15724800:\
        :u_life#31449600:u_pickpw:u_genpwd:u_restrict_at_:\
        :u_nullpw_at_:u_pwdepth#5:u_genchars:u_genletters:\
        :u_maxtries#5:u_lock:\
        :t_maxtries#10:t_logdelay#2:\
        :\
       
::d_audit_enable_at_:u_auditcntl#0:u_auditdisp=:u_unlockint#86400:t_unlocki
nt#86400::chkent:

The UID and GID for C2 and for AFS are the same.

The user can login to the system using the system (C2) password, then he
can
klog and supplying the AFS password he can obtain the token and all
works fine.
But we need to have the authentication in a direct way!

When the user tries to login with the AFS password, the /var/adm/sialog
file
is updated like this:

SIA:AFS Wed Mar 3 14:45:01 1999
siad_ses_authent fails, code=536868016.

SIA:ERROR Wed Mar 3 14:45:01 1999
Failure to authenticate session for lucios on /dev/ttyp3
SIA:AFS Wed Mar 3 14:45:09 1999
siad_ses_authent fails, code=536868016.

SIA:ERROR Wed Mar 3 14:45:09 1999
Failure to authenticate session for lucios on /dev/ttyp3
SIA:ERROR Wed Mar 3 14:45:10 1999
Failure to authenticate session for (null) on /dev/ttyp3

And on standard output the user obtains:

Login incorrect


Wait for login retry ...

Login incorrect
login:


Any idea?
Thanks in advance.
                        Lucio
Received on Wed Mar 03 1999 - 14:52:40 NZDT

This archive was generated by hypermail 2.4.0 : Wed Nov 08 2023 - 11:53:39 NZDT