As part of the effort to move to a unified user information and password system, effectively eliminating the need for multiple computer accounts (at least in terms of passwords), all Linux and UNIX systems are now using an LDAP/Kerberos scheme to authenticate using Windows accounts.
POSIX attributes (e.g. uid, gid, POSIX logon username) are currently manually imported by a script.
See NSS LDAP for details and configuration.
Microsoft Active Directory supports authentication using the Kerberos protocol. The Kerberos realm is LOCAL.TJHSST.EDU. For the system to authenticate to Kerberos, we use pam_krb5 (see below).
- CSL workstations currently use pam_krb5 from http://www.eyrie.org/~eagle/software/pam-krb5/.
- Solaris systems currently use pam_krb5 from the above website, but locally patched to properly implement use_authtok behavior and also to implement functionality for afs_tokens and afs_tokens_nopag options so AFS tokens can be handled in the PAM auth stack with pam_krb5 (see pam_afs2 below). This is useful to implement multi-realm auth as currently dtlogin does not appear to function with an AFS token-getting module placed in session, and xscreensaver also calls only the auth stack (so now tokens are refeshed upon screen unlock).
This module is no longer primarily used; its code was patched into the pam_krb5 used on Solaris (see above). It is still used in the sshd-gssapi PAM session stack on Solaris as the PAM auth stack is not processed if GSSAPI is used for SSH.
- PAM module that can set up a PAG and run a program to get AFS tokens. This module can run either in auth or session (we prefer auth so that things that don't process PAM-session like scp will also get tokens).