1. local passwords - Do not use "AFS" passwords.
2. AFS (kerberos) passwords

Both are controlled via pam. When installing SULinux, you'll be asked if you want to use AFS passwords. This means that in /etc/pam.d/system-auth a line will be inserted that gives the following logic for login:

• Does the account name exist? If no, you will not be able to log in
• Is the login name "root"? If so, prompt only for local password
• Prompt for "AFS Password", which is the kerberos password for the given ID.

Note that if you duplicate a SUNeT ID on your machine, that SUNeT ID will be able to log into your system. AFS passwords are "sufficient" in the PAM sense, so if this password is correct, the person can log in

• If the AFS password is wrong, prompt for local password.

This may not be what you want. If you only want to use local passwords, do not use the AFS auth mechanism. Suppose you want to allow all SUNeT ID's to log in. You again use the PAM module, buth also run "authconfig" and configure hesiod support (just check it, the values should be filled in automatically). Hesiod will act as an addition to your /etc/passwd, mapping user names to home directories (AFS directories, mind you). Please see the hesiod documentation in redhat for more information on how hesiod works.

Another possibility is you want the local users to auth using *both* their local ID and their SUNeT ID. To do this, you must edit the PAM configuration. I personally have not done this, but I believe all you should have to do is change the word "sufficient" for the PAM AFS module to "necessary". If you can confirm this, please email sulinux-help and let me know.

The last possibility is you want leland system cluster solaris style auth, i.e. AFS passwords but reading .klogin to map user names to SUNeT IDs. Notice the subtle difference. In the default scheme, the username in /etc/passwd maps directly and automatically to a SUNeT ID for normal users. In this scheme, the username in /etc/passwd doesn't correspond to a SUNeT ID, but any principle (SUNeT ID) listed in the home directories .klogin file can log in. To enable this, replace /bin/login with /etc/leland/login.krb. NOTE: login.krb doesn't work with MD5 shadow files, so please make sure you use the old style "crypt()" passwords. Please make sure you know what you are doing, as you can mess up your system so you can only log in in single user mode until you fix it.