Overall System Status:
The explicit klog step can be omitted if the system is configured to obtain AFS credentials as part of the standard login process. To do this, the usernames on your local system must match the usernames defined in the AFS user databases.
Typically a workstation would only define a subset of the names known to AFS, and the users still need to be listed in a local passwd file, although with no associated passwords. Some systems require a specially modified AFS-aware login program to perform authentication checks via the AFS/Kerberos servers, but Linux uses a flexible authentication framework known as PAM (Pluggable Authentication Modules) which makes it easy to add new authentication methods.
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/pam_afs.so try_first_pass ignore_root set_token debug
This seems to be sufficient for console logins, sshd logins, and unlocking the screensaver
auth sufficient pam_afs.so ignore_uid 100 refresh_token
This will unlock the screen with the AFS password, and refresh the AFS token at the same time.
If you have set up a local password, you can use either that OR your AFS password to log in. You will have a token if you use AFS. You can delete your local password (lock the account) and use only AFS. The UIDs do not need to be in sync for this - only the usernames. The apparent file owners will look wrong though, unless UIDs are in sync too.
The root user never exists in AFS, and must always have a traditional local password.
Last Updated: 4/13/12