[OpenAFS-devel] OpenAFS-devel] aklog on MacOS X was Re: Service Ticket Questions

Ragnar Sundblad ragge@nada.kth.se
Wed, 5 Apr 2006 12:22:30 +0200


On 5 apr 2006, at 03.17, Henry B. Hotz wrote:

> Most likely.
>
> I wrote a loginLogout plugin myself that did nothing but syslog()  
> it's inputs.  It crashes a large fraction of the time.  I filed a  
> bug on it.

Yeah, I discovered that (finally!). Good that you filed a bug!
ASL, Apple System Logger, a syslog replacement, works though.

> Also I just got off the phone with an Apple DTS rep and he  
> confirmed that it's broken (and that Apple and MIT are aware of the  
> problem).  Some kind of change in the environment it operates in.
>
> Some other tidbits to pass on:
>
> The "builtin:krb5login" mechanism for /etc/authorization is broken  
> in the same way that the example kerberos:login authorization  
> services plugin is broken.  (Look in /Developer/Examples/Security/ 
> kerberosAuthplugin.)  I can provide the 5-line fix to anyone who  
> wants it.  It would be easy to add a call to an aklog()/krb5_afslog 
> () routine in that plug-in to get AFS tokens on login (but the  
> loginLogout plug-in is the right solution).
>
> It *should* be possible to set an authentication_authority value of  
> ";Kerberosv5;" with Active Directory or LDAPv3 and get kerberos  
> tickets on login.  However a few little bits of context information  
> aren't set so it doesn't work.  It would be easy to insert another  
> plug-in mechanism to bridge the gap, once Apple tells me what  
> context bits are needed.
>
> I assume neither of these would be of interest for 1.4.1.  After  
> that I sincerely hope that Apple will fix the loginLogout plugin  
> interface and at least the first one will be moot.
>
> Am I the only one working the Authorization Services angle?

It depends on what you mean with that. :-)

I have now updated my plugin so that it works with Tiger, ppc and 386.
NOTE: It doesn't work with OpenAFS on Mac OS X _yet_ - that interface
obviously wasn't in the Heimdal I based it on. It works with Arla  
though.

It is based on the MIT krbafs lib that is based on the Heimdal kafs lib.
That krbafs lib hasn't been updated in a while though, so I have
updated it to mainly Heimdal 0.7.2 and some from HEAD.
The krbafs lib is fetched from MIT, patched with the updates and built
when you build the project with xcode.

As far as I can see it works fine in 10.4.6 with LoginWindow, the  
screensaver,
Kerberos.app and kinit.
There are issues with Kerberos and Fast user switching (has nothing  
to do
with this plugin) - don't use that for now!

I'd be happy if people would like to help me test and if someone could
point me to some code for how to insert tokens into the OpenAFS MOSX  
1.4.1
client.

The current test version, which as I said yet can't put tokens in the
OpenAFS client, can be found here:
<file:///afs/nada.kth.se/home/staff/ragge/out/test/>
<ftp://ftp.nada.kth.se/pub/home/ragge/test/>

/ragge