welcome: please sign in

The following 240 words could not be found in the dictionary of 7 words (including 7 LocalSpellingWords) and are highlighted below:
able   about   access   accounts   admin   Administration   admins   advantage   afs   again   All   allow   allowed   and   another   any   anything   anyway   anywhere   are   around   as   at   Authentication   authentication   automatically   available   basically   be   because   becomes   before   being   booting   burden   but   Category   changed   chose   clear   client   come   communication   complicated   config   configurable   configuration   configured   Cons   Coop   Current   database   db   deleuze   dependent   Designed   directories   directory   disadvantages   disk   don   done   during   Each   effectively   enabled   ensure   etc   even   everything   exact   fairly   feature   file   files   firewall   first   for   found   framework   from   gid   go   going   good   group   Groups   Gs   have   highly   home   hopper   how   if   If   in   info   information   interfaces   is   isn   it   its   just   k5login   keep   Kerberos   know   known   krb5   large   ldap   least   libnss   limits   listed   local   login   logins   lost   machine   maintain   manpage   may   mechanism   mention   mire   modes   name   Name   names   need   needing   networked   No   nodes   Not   not   nss   of   Old   on   On   one   only   Open   openafs   Other   our   ourselves   over   pam   passwd   people   permit   permitting   phase   point   present   Pros   Provides   pts   purposes   queried   query   Questions   rc   readable   real   really   reasons   Regarding   rely   remind   requires   restrict   running   said   say   Scheme   see   semi   server   Server   service   session   setup   shell   should   since   Speaking   special   squeeze   stable   standard   start   starts   storing   such   Switch   sync   synchronized   System   tasks   that   the   then   there   things   This   this   through   to   trickery   uid   unavailable   unconditionally   Unix   until   upon   use   used   useful   User   user   users   using   Using   various   want   We   we   when   Which   which   with   within   without   working   Yet  

Clear message
Edit

AuthenticationScheme

1. Current Authentication Scheme

1.1. Name Switch Server

Groups and users (passwd) come first from afs and then from files. This requires special trickery to ensure openafs starts before even the firewall.

We chose libnss-afs because there isn't really any point being able to query networked user and group information if openafs is not working since anything needing that info is going to rely on openafs anyway. Which is to say basically everything.

1.2. PAM

Using the standard Debian squeeze pam config framework, we have pam_krb5 and pam_afs_session enabled to permit Kerberos users to login. On admin nodes, login.restrict is used to only allow admins access.

2. Open Questions

Using libnss-afs is not without its disadvantages. We may want to use ldap again as the user directory for various reasons.

2.1. LDAP

Pros:

Cons:

2.2. AFS PTS Server

Pros:

Cons:

3. Old Authentication Scheme

This is how things are done on deleuze, mire, and hopper (hopper at least should be changed).

Regarding the exact authentication mechanism on HCoop. Each machine is unconditionally configured in one of the modes:

  1. No user logins are allowed
  2. User logins allowed, go through Kerberos and AFS
  3. User logins allowed, go through local Unix authentication, on local disk

All login configuration is done through PAM (/etc/pam.d/* files).

If /etc/login.restrict file is present, it automatically limits logins only to accounts listed in the file.

Speaking of Kerberos login, it's useful to mention/remind ourselves of the ~/.k5login feature (see manpage). We don't rely on this anywhere, but as said, useful to know about.

CategorySystemAdministration

AuthenticationScheme (last edited 2013-01-11 08:39:38 by ClintonEbadi)