[OpenAFS-devel] OpenAFS-devel] aklog on MacOS X was Re: Service Ticket Questions

Henry B. Hotz hotz@jpl.nasa.gov
Tue, 4 Apr 2006 18:17:48 -0700


Most likely.

I wrote a loginLogout plugin myself that did nothing but syslog()  
it's inputs.  It crashes a large fraction of the time.  I filed a bug  
on it.

Also I just got off the phone with an Apple DTS rep and he confirmed  
that it's broken (and that Apple and MIT are aware of the problem).   
Some kind of change in the environment it operates in.

Some other tidbits to pass on:

The "builtin:krb5login" mechanism for /etc/authorization is broken in  
the same way that the example kerberos:login authorization services  
plugin is broken.  (Look in /Developer/Examples/Security/ 
kerberosAuthplugin.)  I can provide the 5-line fix to anyone who  
wants it.  It would be easy to add a call to an aklog()/krb5_afslog()  
routine in that plug-in to get AFS tokens on login (but the  
loginLogout plug-in is the right solution).

It *should* be possible to set an authentication_authority value of  
";Kerberosv5;" with Active Directory or LDAPv3 and get kerberos  
tickets on login.  However a few little bits of context information  
aren't set so it doesn't work.  It would be easy to insert another  
plug-in mechanism to bridge the gap, once Apple tells me what context  
bits are needed.

I assume neither of these would be of interest for 1.4.1.  After that  
I sincerely hope that Apple will fix the loginLogout plugin interface  
and at least the first one will be moot.

Am I the only one working the Authorization Services angle?

On Mar 31, 2006, at 9:01 AM, openafs-devel-request@openafs.org wrote:

> Cc: Jeffrey Altman <jaltman@secure-endpoints.com>
> From: Ragnar Sundblad <ragge@nada.kth.se>
> Date: Fri, 31 Mar 2006 00:43:25 +0200
> To: openafs-devel@openafs.org
> Subject: [OpenAFS-devel] aklog on MacOS X was Re: Service Ticket  
> Questions
>
>
> On Wed, 22 Mar 2006 09:34:39 -0500, Jeffrey Altman <jaltman@secure-
> endpoints.com> wrote:
>
> ...
>
>> Today in order to minimize the interactions with end users, we desire
>> the ability to utilize single sign-on and automatic credential
> renewal
>> via the Kerberos Login Library plug-in.  (Unfortunately, this is not
>> working quite right on Tiger.)
>
> ...
>
> Oh, what is it with the KLL API that doesn't work on tiger?
>
> I am working on updating my old afslog.loginLogout that is based on  
> the
> MIT krbafs lib (<http://web.mit.edu/openafs/krbafs/>), which in  
> turn is
> based on heimdal's kafs lib anno ~2000-2001 broken out in a  
> portable way
> (portable meaning that it works with both MIT-krb and Heimdal and
> OpenAFS and Arla on most platforms).
>
> I think I have managed to update the krbafs lib to match ~heimdal
> 0.7.2++
> kafs, and the loginLogout works for getting tokens when ran from the
> command
> line with kinit.

I still see KerberosAgent crashes in the log files though, even when  
it works otherwise.

> It doesn't work when I use it from LoginWindow though, it crashes
> LoginWindow
> (actually it crashes authorizationhost, but LoginWindow exits) so I
> get to
> the getty login. The funny thing is that even if I comment out
> the call to the kerberos stuff, meaning that the plugin is just a big
> noop,
> it still crashes. This is how far I have gotten on this until this
> afternoon.
>
> Is this what you meant above?

See top.

> If so, I should file a bug to apple instead of trying to understand  
> what
> I am doing wrong.
>
> /ragge

------------------------------------------------------------------------ 
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu