From: Andrew Deason Date: Fri, 15 Apr 2011 19:18:57 +0000 (-0500) Subject: doc: Add aklog_dynamic_auth manpage X-Git-Tag: upstream/1.6.1.pre1^2~73 X-Git-Url: https://git.michaelhowe.org/gitweb/?a=commitdiff_plain;h=9433b1b651ded596a897d81a4276e925dea3bb5e;p=packages%2Fo%2Fopenafs.git doc: Add aklog_dynamic_auth manpage Add a manpage for the aklog_dynamic_auth LAM module. Reviewed-on: http://gerrit.openafs.org/4485 Reviewed-by: Simon Wilkinson Reviewed-by: Derrick Brashear Tested-by: BuildBot (cherry picked from commit 24ddd06a0dc19ad7c0b2a2847d41a5ea69665b15) Change-Id: Ib5f7463b75ee8d58ecc6b725f629fd7600c64792 Reviewed-on: http://gerrit.openafs.org/6297 Reviewed-by: Derrick Brashear Tested-by: Derrick Brashear --- diff --git a/doc/man-pages/pod8/aklog_dynamic_auth.pod b/doc/man-pages/pod8/aklog_dynamic_auth.pod new file mode 100644 index 000000000..47358882b --- /dev/null +++ b/doc/man-pages/pod8/aklog_dynamic_auth.pod @@ -0,0 +1,104 @@ +=head1 NAME + +aklog_dynamic_auth - LAM module to obtain AFS tokens from Kerberos tickets + +=head1 SYNOPSIS + +=for html +
+ + K5AFS: + program = /usr/lib/security/aklog_dynamic_auth + options = authonly + +=for html +
+ +=head1 DESCRIPTION + +B is an AIX LAM (Loadable Authentication Modules) +module that can create new AFS sessions and acquire AFS tokens from +Kerberos 5 tickets. It is similar in function to the L program, +and various PAM modules such as L. + +B does not obtain any credentials on its own, nor does +it deal with passwords of any kind. You must have another way of obtaining +Kerberos 5 tickets before invoking B in order for it +to do anything useful. AIX comes with a B LAM module that can do +this. + +=head1 OPTIONS + +Beyond the normal LAM options, B understands the +following options. + +=over 4 + +=item B + +If this is specified, B will try to only utilize +UID-based PAGs. This means that when acquiring credentials, +B will not try to create a new PAG, and instead will +set tokens for the current UID. If the current UID is root, +B will look up the UID of the user we are +authenticating for, and will set tokens for that UID instead. + +Specifying this option is necessary for AFS tokens to be refreshed with +the CDE screen locking program, and possibly other LAM users. + +Note that if B is run from a context that has a real +PAG, it is impossible for it to set the tokens for a particular UID. If +B is set and this situation is detected, B +will log an error, but will attempt to continue and will just create a new +PAG, as if B were not set. + +=item B + +Normally, B will look up the AFS ID of the username +for which it is acquiring credentials by looking the in AFS Protection +Database. Specifying the B option instead causes +B to look up the relevant user via L, and +to use the returned UID for the AFS ID. + +This will only work correctly if the IDs of local users and their AFS IDs +in the AFS Protection Database are synchronized, and will only work for +users of the local cell. + +Specifying B makes B avoid calling AFS pt +routines, which can crash certain long-running daemons that call into LAM. + +=back + +=head1 EXAMPLES + +The following example allows the user C to login with Kerberos 5 +credentials and obtain AFS tokens on success. If Kerberos 5 authentication +fails, we fall back to using local authentication. The +B options for B and B + +In C: + + KRB5: + program = /usr/lib/security/KRB5 + program_64 = /usr/lib/security/KRB5_64 + options = authonly,kadmind=no + + K5AFS: + program = /usr/lib/security/aklog_dynamic_auth + options = uidpag,localuid,authonly + +In C: + + userid: + SYSTEM = "(KRB5[SUCCESS] and K5AFS) OR compat" + +=head1 SEE ALSO + +L + +=head1 COPYRIGHT + +Copyright Sine Nomine Associates 2011 + +This documentation is covered by the BSD License as written in the +doc/LICENSE file. This man page was written by Andrew Deason for OpenAFS.