[OpenAFS-devel] OpenAFS-devel] aklog on MacOS X was Re: Service Ticket Questions

Henry B. Hotz hotz@jpl.nasa.gov
Wed, 5 Apr 2006 16:04:47 -0700 

On Apr 5, 2006, at 2:30 PM, Ragnar Sundblad wrote:

> On 5 apr 2006, at 23.03, Henry B. Hotz wrote:
>
>> Yes, I'm studying that as well.  It's easy to stick something in  
>> system.login.screensaver that works for a single user.  Not so  
>> easy to figure something that preserves all the admin override  
>> options.
>
> What do you mean with preserving the admin override options?
> I just put "builtin:krb5authnoverify,privileged" on the right  
> "system.login.console"
> and the rule "authenticate", and that does it for my needs. I  
> think. Do you want
> something else?

You're finding relevant places the "authinternal" mechanism is  
referenced and replacing them.  Not unreasonable.  Have you tried  
removing the one authenticate rule to see if it matters?  I don't see  
that rule referenced anywhere inside the file (though invisible stuff  
might reference it).

I'm looking at the rights that might be relevant:   
system.login.console, system.login.done, and  
system.login.screensaver.  The last references rule authenticate- 
session-owner-or-admin, which has three (I think this is the right  
grouping) ways to work:  allow-root, class user/group admin, and  
class user/session-owner.  Ought to be able to replace session-owner  
with something appropriate that also does Kerberos.  Of course maybe  
the right solution is to replace something lower level.  I'm waiting  
for Apple feedback on the subject.

I expect you understand the risks of using krb5:authnoverify.  It's  
great for testing though.

>> I haven't folded this in with Apple, yet, but if you use the  
>> "switch user" button from the screen saver it does exercise  
>> system.login.console, but the resulting Kerberos tickets don't get  
>> saved for the resulting user.
>
> It does for me, actually. This seems to work for me. I wonder what the
> difference is.
>
>>   This is true if you are switching to yourself, anyway.
>
> If I select another user from the user switching menu (yes, I have the
> "Show list of users" enabled, I have three user accounts on this  
> machine :-),
> a tgt for the new user will be put in the prev user's ticket cache,  
> and the
> principal name for that ticket cache will be set to the new user's.  
> This really
> is broken and must be reported. If I go via selecting Login Window  
> in the menu,
> it seems to work, so if you don't have "Show list of users" it  
> might work.

That's a good test and pretty revealing.  Please file a bug on it!

I've been testing against our production Kerberos so far, and I only  
have one user account there.

------------------------------------------------------------------------ 
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu