[OpenAFS] MacOSX with reliable AFS homedirs?
Troy Benjegerdes
hozer@hozed.org
Thu, 3 Feb 2005 22:55:38 -0600
On Thu, Feb 03, 2005 at 10:35:44PM -0600, Ben Staffin wrote:
> * Troy Benjegerdes <hozer@hozed.org> [2005-02-03 22:31] wibbled:
> > On Thu, Feb 03, 2005 at 09:48:04PM -0600, Ben Staffin wrote:
> > > * Troy Benjegerdes <hozer@hozed.org> [2005-02-03 20:29] wibbled:
> > > > On Thu, Feb 03, 2005 at 08:22:44PM -0600, Tracy Di Marco White wrote:
> > > > >
> > > > > In message <20050204021548.GT9768@kalmia.hozed.org>, Troy Benjegerdes writes:
> > > > > >Has anyone gotten Krb5, ldap, and AFS homedirs working reliably?
> > > > >
> > > > > Have you looked at the ISU OS X documentation?
> > > > > http://tech.ait.iastate.edu/macosx/
> > > > >
> > > > > I'm just using krb5 & AFS, no LDAP, but mine is mostly a single user
> > > > > machine.
> > > >
> > > > Do you have an afs homedir, and how do you get tokens when you log in?
> > >
> > > We use Nicholas Riley's aklog plugin to get tokens on login
> > > (http://www.acm.uiuc.edu/admin/afs/aklog-1.0.dmg). It creates a
> > > /usr/local/bin/aklog, and a /Library/Kerberos Plug-Ins/aklog.loginLogout
> > > bundle. I'm not sure how other sites handle this.
> > >
> >
> > That looks like the same kfm_aklog bundle. How do you debug this when it
> > doesn't work?
> >
> > Do you have to reboot or something to get kfm_aklog to work? I would
> > expect a reasonable unix system to not require a reboot for something
> > like that.
> >
> > Also, does this (or anything else) work with ssh logins?
>
> Where did you acquire the other kfm_aklog bundle? If ours is obsoleted,
> perhaps we should use that one.
>
> I am not sure if this requires a reboot. I wouldn't expect it to, but
> it wouldn't really surprise me if it did, either. As with many things
> on OSX, I'm sure it doesn't literally require a reboot, but it may be
> easiest to just do that rather than tracking down exactly what needs to
> be kicked.
>
> I assume you are able to get forwardable Kerberos tickets upon login?
http://akosut.com/software/
However, the license makes it completely useless for integration with
anything else.
I saw a message on krbdev from yesterday about this, so I'll bring this
up there. But this begs the question... who's responsible for
maintaining aklog type things.. the kerberos people, or the AFS people??
It seems nobody really wants to maintain it, and users wind up getting
screwed.
If you use Debian or Redhat, it seems to work out just great, but try to
find a 'standard' aklog for windows or macosX, and every university
seems to have a minor variation on the same thing that's subtley broken
in a different way.