[OpenAFS-devel] aklog on MacOS X was Re: Service Ticket Questions

[Ragnar Sundblad]

The problem with Heimdal, and therefore the krbafs lib, and OpenAFS  
was/is
that Heimdal and Arla on Mac OS X 10.4/darwin 8 currently uses different
defines for VIOC_SYSCALL_DEV. I hope this will get sorted out in the  
future.
I have asked my local AFS experts (Arla developers) to take a look at
the problem.

Anyway, I made a workaround in the afslog plugin, so now it (seems to)
work with OpenAFS and Arla on ppc and i386.

As far as I can tell, it works fine in 10.4.6 with LoginWindow,
the screensaver, Kerberos.app and kinit.

The current test version can be found here:
<file:///afs/nada.kth.se/home/staff/ragge/out/test/>
<ftp://ftp.nada.kth.se/pub/home/ragge/test/>

/ragge

 From the README:
/*
* afslog.loginLogout - 2006-04-10  Ragnar Sundblad, ragge@nada.kth.se
*
* A Kerberos plug-in that fetches AFS tokens for the user whenever
* Kerberos tickets are acquired.
*
* This version is for Mac OS X 10.4 (Tiger), PowerPC or Intel,
* and OpenAFS or Arla.
*
* It logs in /var/log/system.log using the Apple System Log facility  
(asl)
*
*
* INSTALLATION
*
* Install the plugin in /Library/Kerberos Plug-Ins/ and put the  
following
* row in your /Library/Preferences/edu.mit.Kerberos under the
* [libdefaults] tag:
*  login_logout_notification = afslog
*
* You may also want to enable kerberized login, see:
* <http://docs.info.apple.com/article.html?artnum=107154>
* WARNING: In 10.4.6 and probably earlier, you should not use
* "Fast User Switching" and Kerberos login authentication.
* If you do, you may find tickets in places where they shouldn't be.
*
* 0.0.2b2 - This version only supports server based 524 (default) or
*  kerberos 5 tokens. It does not (yet) support local 524/2b.
* [appdefaults]
*    afs-use-524 = [ yes/true/1 = server-524 | no/anythingelse = krb5  
tokens ]
*
* 0.0.2b2 - OpenAFS and Arla on Mac OS X 10.4 has different  
VIOC_SYSCALL_DEV
*  defines. There is a workaround in this version to work with both.
*  In the future they hopefully will get the same VIOC_SYSCALL_DEV,
*  and then this plugin may have to be changed.
*
* BUILDING
*
* This plugin uses the MIT krbafs lib to do the main work.
* It currently uses 1.2 and patches it to match heimdal 0.7.2++
* The lib is fetched, patched and built when you build the xcode  
project.
* Information about the krbafs lib: <http://web.mit.edu/openafs/krbafs/>
*
*
* NOTES
*
* At console login time the plug in is called as root so we must setuid
* to the user who's tickets we are finding.
* This means, among other things, that the user name must match the
* principal name. This might not be the case for all installations.
* This solution seems less than ideal.
*
* In 10.4, we can not use syslog's openlog/syslog, since the seem to
* interfere with authorizationhost (use by LoginWindow via securityd)
* and KerberosAgent (the GUI for entering kerberos passwords.)
* ASL seems to work though.
*
*/