[OpenAFS-devel] OpenAFS-devel] aklog on MacOS X was Re: Service Ticket Questions

Henry B. Hotz hotz@jpl.nasa.gov
Wed, 5 Apr 2006 14:03:22 -0700 

On Apr 5, 2006, at 3:22 AM, Ragnar Sundblad wrote:

>
> On 5 apr 2006, at 03.17, Henry B. Hotz wrote:
>
>> Most likely.
>>
>> I wrote a loginLogout plugin myself that did nothing but syslog()  
>> it's inputs.  It crashes a large fraction of the time.  I filed a  
>> bug on it.
>
> Yeah, I discovered that (finally!). Good that you filed a bug!
> ASL, Apple System Logger, a syslog replacement, works though.

Thanks for the tip.

>> Also I just got off the phone with an Apple DTS rep and he  
>> confirmed that it's broken (and that Apple and MIT are aware of  
>> the problem).  Some kind of change in the environment it operates in.
>>
>> Some other tidbits to pass on:
>>
>> The "builtin:krb5login" mechanism for /etc/authorization is broken  
>> in the same way that the example kerberos:login authorization  
>> services plugin is broken.  (Look in /Developer/Examples/Security/ 
>> kerberosAuthplugin.)  I can provide the 5-line fix to anyone who  
>> wants it.  It would be easy to add a call to an aklog()/krb5_afslog 
>> () routine in that plug-in to get AFS tokens on login (but the  
>> loginLogout plug-in is the right solution).
>>
>> It *should* be possible to set an authentication_authority value  
>> of ";Kerberosv5;" with Active Directory or LDAPv3 and get kerberos  
>> tickets on login.  However a few little bits of context  
>> information aren't set so it doesn't work.  It would be easy to  
>> insert another plug-in mechanism to bridge the gap, once Apple  
>> tells me what context bits are needed.
>>
>> I assume neither of these would be of interest for 1.4.1.  After  
>> that I sincerely hope that Apple will fix the loginLogout plugin  
>> interface and at least the first one will be moot.
>>
>> Am I the only one working the Authorization Services angle?
>
> It depends on what you mean with that. :-)
>
> I have now updated my plugin so that it works with Tiger, ppc and 386.
> NOTE: It doesn't work with OpenAFS on Mac OS X _yet_ - that interface
> obviously wasn't in the Heimdal I based it on. It works with Arla  
> though.
>
> It is based on the MIT krbafs lib that is based on the Heimdal kafs  
> lib.
> That krbafs lib hasn't been updated in a while though, so I have
> updated it to mainly Heimdal 0.7.2 and some from HEAD.
> The krbafs lib is fetched from MIT, patched with the updates and built
> when you build the project with xcode.
>
> As far as I can see it works fine in 10.4.6 with LoginWindow, the  
> screensaver,
> Kerberos.app and kinit.
> There are issues with Kerberos and Fast user switching (has nothing  
> to do
> with this plugin) - don't use that for now!

Yes, I'm studying that as well.  It's easy to stick something in  
system.login.screensaver that works for a single user.  Not so easy  
to figure something that preserves all the admin override options.   
My DTS rep brought up the k-of-n key, but decided there were some  
issues he needed to think through before he made a recommendation.

/etc/authorization does not use a general purpose conditional  
language.  It's not even as flexible as PAM.  Excepting k-of-n, you  
have a list of top-level keys which are logically OR'ed.  One key may  
be evaluate-mechanisms, which runs a list of mechanisms (which may be  
plug-in's).  ALL mechanisms must pass (logical AND) or evaluate- 
mechanisms fails.  Plug-in's may deposit bits of "context"  
information for subsequent mechanisms to read.  There's no (easy or  
supported) way to find out what context information exists from  
inside a plug-in.

I haven't folded this in with Apple, yet, but if you use the "switch  
user" button from the screen saver it does exercise  
system.login.console, but the resulting Kerberos tickets don't get  
saved for the resulting user.  This is true if you are switching to  
yourself, anyway.

> I'd be happy if people would like to help me test and if someone could
> point me to some code for how to insert tokens into the OpenAFS  
> MOSX 1.4.1
> client.

Look for posts from Jeffrey Hutzelman and at Russ Albery's  
libkopenafs thread on this list over the last couple of weeks.

> The current test version, which as I said yet can't put tokens in the
> OpenAFS client, can be found here:
> <file:///afs/nada.kth.se/home/staff/ragge/out/test/>
> <ftp://ftp.nada.kth.se/pub/home/ragge/test/>
>
> /ragge
>