[OpenAFS-devel] Jaguar: Loginwindow - pam - getting there

[Alexei Kosut]

On Fri, Oct 04, 2002 at 04:17:51PM -0400, David Botsch wrote:
> 1. Not pag based.

True.  Others have commented (on port-darwin) about ways to possibly
get around this.  Personally, I'm not terribly concerned with using
PAGs on Mac OS X.  The cases that I care about are pretty much all
one-login-at-a-time machines with seperate accounts for each "real"
user, so per-uid tokens work great.

> 2. kludgy - we're essentially already doing this for 10.1 . . sometimes 
> it works, sometimes it doesn't .. it seems to depend on which part of 
> the login completes first.

We haven't had any problems with the login authenticatior we used for
Mac OS X 10.1, nor with the Kerberos plugin approach we've been
testing for 10.2.  Since the Kerberos plugin gets called when the
password needs to be verified (very early in the login process), and
does not return control to the login process until AFS tokens are
installed, I don't think it's possible for there to be timing issues.

It is possible (as Ragnar has pointed out) that Mac OS X expects to be
able to access the home directory as root, or in other ways that don't
work with per-uid AFS tokens.  But those would affect every login, and
in my tests I haven't noticed any such problems with Mac OS X 10.2.1.

> However, it looks like we will essentially end up doing this since 
> Apple has made it impossible to use the Power of Pam

Given how complex the Mac OS X login system appears to be, it would
not surprise me to find that even if loginwindow did support PAM, it
would be in a way that would not allow PAGs to be created to use
properly with AFS home directories.

AFS will probably only work 100% correctly with PAGs (or something
similar) on Mac OS X if Apple designs a mechanism with AFS explicitly
in mind.

-- 
Alexei Kosut <akosut@cs.stanford.edu> <http://rescomp.stanford.edu/~akosut/>