[OpenAFS-devel] aklog on MacOS X was Re: Service Ticket

Everette Allen Everette_Allen@ncsu.edu
Wed, 05 Apr 2006 18:44:44 -0400 

> Most likely.
> 
> I wrote a loginLogout plugin myself that did nothing but syslog()  
> it's inputs.  It crashes a large fraction of the time.  I filed a bug  
> on it.
I got here as well rebuilding universal the KLL plug-in we have.
> 
> Also I just got off the phone with an Apple DTS rep and he confirmed  
> that it's broken (and that Apple and MIT are aware of the problem).   
> Some kind of change in the environment it operates in.
Is this true for 10.3.6 as well?

> 
> Some other tidbits to pass on:
> 
> The "builtin:krb5login" mechanism for /etc/authorization is broken in  
> the same way that the example kerberos:login authorization services  
> plugin is broken.  (Look in /Developer/Examples/Security/ 
> kerberosAuthplugin.)  I can provide the 5-line fix to anyone who  
> wants it.  It would be easy to add a call to an aklog()/krb5_afslog()  
> routine in that plug-in to get AFS tokens on login (but the  
> loginLogout plug-in is the right solution).

So I would be interested in the fix.  Not sure I understand what you are 
saying... we can all get kerberos tickets on login by editing 
/etc/authorization so the binary shipping with 10.4.x is clearly not 
broken for kerberos at least for builtin:krb5authnoverify,privileged... 
might be for loading KLL plug-ins so are you saying the example is 
broken and the fix is for the example?
Is this example the actual code for the plug-in Apple ships?

> 
> It *should* be possible to set an authentication_authority value of  
> ";Kerberosv5;" with Active Directory or LDAPv3 and get kerberos  
> tickets on login.  However a few little bits of context information  
> aren't set so it doesn't work.  It would be easy to insert another  
> plug-in mechanism to bridge the gap, once Apple tells me what context  
> bits are needed.
So I am thinking that in terms of overriding ldapv3 this is:
#;Kerberosv5;;$uid$;MY.REALM.DOM
(see:http://clc.its.psu.edu/Labs/Mac/resources/authdoc/ldapauthorization.aspx)
Or am I missing what you are asking?
> 
> I assume neither of these would be of interest for 1.4.1.  After that  
> I sincerely hope that Apple will fix the loginLogout plugin interface  
> and at least the first one will be moot.
> 
> Am I the only one working the Authorization Services angle?
I would be very interested in this for 1.4.1 and it seems that at least 
the folks who wrote kerberos plug-in think the Authorization Services is 
the right angle to work on 
(https://lists.openafs.org/pipermail/openafs-devel/2006-March/013644.html) 
so I am looking to follow since this like the most survivable way as we 
go to leopard and get tokens in a security session that makes afs homes 
and a functioning finder possible.

On another note I have been able to build universal a contextual menu 
plug-in which works with 1.4.1 for some fs examine, fs la/sa, and pts 
mem type functions.  This is based on some code from the MacLeland 
project at Stanford back when Alexei Kosut was working on the project. 
I have been using it with 10.3 and openafs 1.2.11/13 for about 2 years 
by permission.  This is one of the functions I think was asked for 
earlier in this discussion.  Does anyone know if the license has changed 
on the MacLeland work or if we could get this code out so folks could 
use it?
I would not be comfortable releasing it based on what I know now so 
please don't ask.

-- 
Everette Gray Allen		Systems Programmer II
ITD Computing Services	Macintosh Support Specialist
2620 Hillsborough St, Campus Box 7109
Raleigh, NC 27695-7109  AIM: EveretteAlln
919-515-4558		Everette_Allen@ncsu.edu