[OpenAFS] MacOSX with reliable AFS homedirs?
Everette Gray Allen
Everette_Allen@ncsu.edu
Fri, 04 Feb 2005 10:04:18 -0500
> Has anyone gotten Krb5, ldap, and AFS homedirs working reliably?
Yes I have had MacOS X with kerberos, openldap, and OpenAFS home dirs
working for 2 full semesters here at NC State. I have had kerberos,
OpenAFS Homes and some other kinds of directory service working for 2
years before that. We had hit and miss experiences with versions of the
MacOS before 10.3 and openafs before 1.2.11. You might make it work on
10.2.8 but I would suggest upgrading to 10.3.2+
>
> We've had to resort to setting up each individual users with a startup
> items script to run aklog.
Not sure this will really get the finder in the pag but might.
>
> I've tried the 'kfm_aklog' plugin, but it doesn't seem to work, and
> none of the apple login hook stuff seems to work.
We have been using a multi-cell modified version of aklog.loginLogout
the entire time. We modified some code we picked up from Stanford to do
multi cell "aklog" based on /var/db/openafs/etc/TheseCells.
I think plug-in is now available from:
http://macosx.si.umich.edu/files/aklog_loginLogout.hqx
Our mod. is available from:
http://www.ncsu.edu/mac/downloads/multicellkfmaklog.dmg.zip
A good document to read is:
http://macosx.si.umich.edu/public/viewHowTo.php?HowToID=19#config
For ldap we use openldap with lots of schema but mostly inetOrg suite.
Basically we follow umich on this one with very min. custom mapping in
Directory Access.
Default Attribute Types are:
Record Name = uid
Users are:
Record Name = uid
Real Name = uid //privacy precaution
UniqueID = uidNumber
Primary Groupid = gidNumber
NFSHomeDir = homeDirectory
UserShell = loginShell
AuthenticationAuthority = #;basic; // also static map
This pretty much follows the Umich model from:
http://www-personal.umich.edu/~jhstew/umldapv3/
Directory Access is very, very picky about doing "live configuration"
changes. I have to disable ldap, hit apply, then remove the custom
authorization entry, change my ldap mappings apply, add Authorization
back and then make active and apply. Even with this sometimes I have to
reboot to get it to take.
Also, I assume you know that you have to add
login_logout_notification= "aklog"
to the [libdefaults] section in /Library/Preferences/edu.mit.kerberos
(If you have nat clients might also want to add
noaddresses = true )
And I assume the kerberos is required for login in
/private/etc/authorization and that your actually require kerberos for
login not just get tickets as a side effect.
Our authorization file for 10.3 (which has changed from 10.2 Apple Docs)
has this:
-----
<key>system.login.console</key>
<dict>
<key>class</key>
<string>evaluate-mechanisms</string>
<key>comment</key>
<string>Login mechanism based rule. Not for
general use, yet.
builtin:krb5authenticate can be used to hinge local authentication on a
successful kerberos authentication and kdc verification.
builtin:krb5authnoverify skips the kdc verification. Both fall back on
local authentication.</string>
<key>mechanisms</key>
<array>
<string>loginwindow_builtin:login</string>
<string>builtin:krb5authnoverify</string>
<string>loginwindow_builtin:success</string>
<string>builtin:getuserinfo</string>
<string>builtin:sso</string>
</array>
</dict>
<key>system.login.done</key>
<dict>
<key>class</key>
<string>evaluate-mechanisms</string>
<key>comment</key>
<string>builtin:krb5login can be used to do
kerberos authentication as a side-effect of logging in. Local
username/password will be used.</string>
<key>mechanisms</key>
<array>
<string>switch_to_user</string>
<string>builtin:krb5login</string>
</array>
</dict>
-----
>
> What is the equivalent of a linux PAM line like:
>
> session libpam-openafs-session.so debug
As for PAM in general we don't use PAM with loginwindow but for ssh we
do use pamkfm from
Umich.http://www.lsa.umich.edu/lsait/AdminTools/osx/software/
This of course depends on the login plug-in working.
>
>
>
> -- -------------------------------------------------------------------------- Troy Benjegerdes 'da hozer' hozer@hozed.org
I hope this is helpful.
--
Everette Gray Allen Systems Programmer II
ITD Computing Services Macintosh Support Specialist
2620 Hillsborough St, Campus Box 7109
Raleigh, NC 27695-7109
919-515-4558 Everette_Allen@ncsu.edu