[29195] in Kerberos
Re: How to determine the authentication domain of a user ?
daemon@ATHENA.MIT.EDU (Edward Murrell)
Wed Feb 6 23:47:00 2008
From: Edward Murrell <edward@murrell.co.nz>
To: kerberos <kerberos@mit.edu>
In-Reply-To: <abe3dd8f0802062037r35e04f88w55f7382a09c7b426@mail.gmail.com>
Date: Thu, 07 Feb 2008 17:45:45 +1300
Message-Id: <1202359545.5836.10.camel@fusion>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
The log files should list which pam module someone used to. Once someone
has logged in though, the user is tracked as a UID, rather than a
particular domain user. There may be environment variables listed that
you could look at though, but certainly nothing like an API.
On Thu, 2008-02-07 at 10:07 +0530, Gaurab Paul wrote:
> Hi Ed,
>
> thank you.
>
> So, do you have any suggestions on how do we reliably know against
> which domain (local/NIS) a user has authenticated against while
> logging in ? If there is a POSIX API or portable API or even OS
> commands across major UNIX versions please let us know.
>
> Thanks,
>
> On Feb 7, 2008 9:57 AM, Edward Murrell <edward@murrell.co.nz> wrote:
> Hi,
>
> NSS doesn't configure the order of authentication, it does
> (among other
> things, the order of look up for user is in what group and
> owns what
> files (or more accurately, which UID/GIDs map to which
> user/groups).
>
> Authentication is performed by PAM. (see /etc/pam.d/).
> Authconfig is a
> Redhat utility which (if I recall correctly, I'm not at work
> right now)
> works modifies the files the /etc/nsswitch.conf
> and /etc/pam.d/system-auth-config, as well as any extra files
> that may
> be required by NSS and PAM. Under Redhat, most other pam.d
> systems use
> the system-auth-config file as well for authentication
>
> Hope that clears things up!
>
> Cheers,
> Edward
>
>
> On Wed, 2008-02-06 at 19:47 -0800, vasantha.prabhu wrote:
> > Hi,
> >
> > Suppose if there are two user accounts with the same name
> (vprabhu on
> > local (i.e. files) as well as NIS), then /etc/nsswitch.conf
> determines
> > which domain to authenticate against. However, depending on
> the OS
> > (for example authconfig settings in linux) can alter the
> nsswitch.conf
> > procedure.
> >
> > For example,
> >
> > cat /etc/nsswitch.conf|grep passwd
> > passwd: nis files
> >
> > then if vprabhu logs in it will be authenticated against
> NIS. However,
> > if authconfig settings are "Local authorization is
> sufficient" is ON,
> > it will authenticate against FILES.
> >
> > Now, given this situation, how do we reliably know against
> which
> > domain (local/NIS) a user has authenticated against while
> logging in ?
> > If there is a POSIX API or portable API or even OS commands
> across
> > major UNIX versions please let us know.
> >
> > Thanks
>
>
>
>
>
>
> --
> thanks and regards,
>
> Gaurab
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
