[OpenAFS-devel] OT: aklog on MacOS X was Re: Service Ticket Questions

[Ragnar Sundblad]

This is Mac OS X specific and slightly off topic. Still, it might be of
interest to someone. If I am doing something wrong - please let me know.

------

On 6 apr 2006, at 01.04, Henry B. Hotz wrote:

> You're finding relevant places the "authinternal" mechanism is  
> referenced and replacing them.  Not unreasonable.

IIRC, it was just the only two relevant places to do it, so we tried  
and it did
what we wanted.

>   Have you tried removing the one authenticate rule to see if it  
> matters?  I don't see that rule referenced anywhere inside the file  
> (though invisible stuff might reference it).

No, there are several implicit relationships in that file. I have filed
a bug against the non publicness of the hopefully existing  
documentation.

> I'm looking at the rights that might be relevant:   
> system.login.console, system.login.done, and  
> system.login.screensaver.  The last references rule authenticate- 
> session-owner-or-admin, which has three (I think this is the right  
> grouping) ways to work:  allow-root, class user/group admin, and  
> class user/session-owner.  Ought to be able to replace session- 
> owner with something appropriate that also does Kerberos.  Of  
> course maybe the right solution is to replace something lower  
> level.  I'm waiting for Apple feedback on the subject.

We also wanted the small authenticate-me locks in for example the
System Preferences, the Installer and so on to work, so we want
Kerberos authentication everywhere. Therefore we just replaced the
base places which _seemed_ right.
Next step is also combining this with mobile accounts.

/ragge