CVS Commit: FAC dist/commonz/usr/fac/etc by jhutz
Jeffrey Hutzelman
jhutz+ at minbar.fac.cs.cmu.edu
Wed Jan 25 18:11:01 EST 2017
Update of /afs/cs.cmu.edu/project/fac-cvs/dist/commonz/usr/fac/etc
In directory minbar.fac.cs.cmu.edu:/afs/cs.cmu.edu/project/fac-master/dist/commonz/usr/fac/etc
Modified Files:
krb5.conf.global
Log Message:
krb5.conf.global: add pam_krb5 alt_auth_map setting
This is the first step in moving this setting out of the PAM config file
to someplace where it can be edited on a per-machine basis. From the
commit for the original version of this change:
Use alt_auth_map so users with a .k5login file in their AFS homedir
do not need to grant system:anyuser rl to log in.
.k5login | system:anyuser | Error | Result
--------------------------------------------------------
None | none | EACCESS | krb5_kuserok fails
None | l | ENOENT | Come on in!
None | rl | ENOENT | Come on in!
Exists | none | EACCESS | krb5_kuserok fails
Exists | l | EACCESS | krb5_kuserok fails
Exists | rl | None | Based on .k5login contents
The alt_auth_map is checked *before* .k5login, so setting it to
%s allows the user in even if a .k5login exists but cannot be read.
More information about the Fac-source-change-log
mailing list