Integrating AFS Authentication with Local Login


The explicit klog step can be omitted if the system is configured to obtain AFS credentials as part of the standard login process. To do this, the usernames on your local system must match the usernames defined in the AFS user databases.

Typically a workstation would only define a subset of the names known to AFS, and the users still need to be listed in a local passwd file, although with no associated passwords. Some systems require a specially modified AFS-aware login program to perform authentication checks via the AFS/Kerberos servers, but Linux uses a flexible authentication framework known as PAM (Pluggable Authentication Modules) which makes it easy to add new authentication methods. 

  • As root, edit the following files in /etc/pam.d:
  • After the line:
auth sufficient /lib/security/$ISA/ likeauth nullok
  • insert the line:
auth sufficient /lib/security/ try_first_pass ignore_root set_token debug

This seems to be sufficient for console logins, sshd logins, and unlocking the screensaver

  • You can also edit
  • and insert as the first non-comment line:
auth sufficient ignore_uid 100 refresh_token

This will unlock the screen with the AFS password, and refresh the AFS token at the same time.

If you have set up a local password, you can use either that OR your AFS password to log in. You will have a token if you use AFS. You can delete your local password (lock the account) and use only AFS. The UIDs do not need to be in sync for this - only the usernames. The apparent file owners will look wrong though, unless UIDs are in sync too.

The root user never exists in AFS, and must always have a traditional local password.

If you have questions, please contact

Print Article


Article ID: 64615
Tue 10/9/18 12:17 PM
Tue 11/12/19 10:35 AM