[OpenAFS] MacOSX with reliable AFS homedirs?

Ben Staffin staffin@uiuc.edu
Thu, 3 Feb 2005 23:10:15 -0600 

* Troy Benjegerdes <hozer@hozed.org> [2005-02-03 22:56] wibbled:
> On Thu, Feb 03, 2005 at 10:35:44PM -0600, Ben Staffin wrote:
> > * Troy Benjegerdes <hozer@hozed.org> [2005-02-03 22:31] wibbled:
> > > On Thu, Feb 03, 2005 at 09:48:04PM -0600, Ben Staffin wrote:
> > > > * Troy Benjegerdes <hozer@hozed.org> [2005-02-03 20:29] wibbled:
> > > > > On Thu, Feb 03, 2005 at 08:22:44PM -0600, Tracy Di Marco White wrote:
> > > > > > 
> > > > > > In message <20050204021548.GT9768@kalmia.hozed.org>, Troy Benjegerdes writes:
> > > > > > >Has anyone gotten Krb5, ldap, and AFS homedirs working reliably?
> > > > > > 
> > > > > > Have you looked at the ISU OS X documentation?
> > > > > > http://tech.ait.iastate.edu/macosx/
> > > > > > 
> > > > > > I'm just using krb5 & AFS, no LDAP, but mine is mostly a single user
> > > > > > machine.
> > > > > 
> > > > > Do you have an afs homedir, and how do you get tokens when you log in?
> > > > 
> > > > We use Nicholas Riley's aklog plugin to get tokens on login
> > > > (http://www.acm.uiuc.edu/admin/afs/aklog-1.0.dmg).  It creates a
> > > > /usr/local/bin/aklog, and a /Library/Kerberos Plug-Ins/aklog.loginLogout
> > > > bundle.  I'm not sure how other sites handle this.
> > > > 
> > > 
> > > That looks like the same kfm_aklog bundle. How do you debug this when it
> > > doesn't work?
> > > 
> > > Do you have to reboot or something to get kfm_aklog to work? I would
> > > expect a reasonable unix system to not require a reboot for something
> > > like that.
> > > 
> > > Also, does this (or anything else) work with ssh logins?
> > 
> > Where did you acquire the other kfm_aklog bundle?  If ours is obsoleted,
> > perhaps we should use that one.
> > 
> > I am not sure if this requires a reboot.  I wouldn't expect it to, but
> > it wouldn't really surprise me if it did, either.  As with many things
> > on OSX, I'm sure it doesn't literally require a reboot, but it may be
> > easiest to just do that rather than tracking down exactly what needs to
> > be kicked.
> > 
> > I assume you are able to get forwardable Kerberos tickets upon login?
> 
> http://akosut.com/software/
> 
> However, the license makes it completely useless for integration with
> anything else.

Yeah, those both contain the same kfm_aklog.c developed by Alexei Kosut.
The license does look annoying, and incompatible with GPL, BSD, MIT,
etc.  I had not realised that until now.

> I saw a message on krbdev from yesterday about this, so I'll bring this
> up there. But this begs the question... who's responsible for
> maintaining aklog type things.. the kerberos people, or the AFS people??
> It seems nobody really wants to maintain it, and users wind up getting
> screwed. 

It seems to me that the AFS people are responsible for maintaining these
bits.  The problem ought to go away to a certain extent with the release
of OpenAFS 1.4, which will include native Kerberos 5 support.

> If you use Debian or Redhat, it seems to work out just great, but try to
> find a 'standard' aklog for windows or macosX, and every university
> seems to have a minor variation on the same thing that's subtley broken
> in a different way.

For windows, you ought to be using the 1.3.7x branch, which doesn't need
a 3rd-party aklog as it has native Krb5 support now.  Debian (and
presumably redhat) contain an aklog package which requires krb524d to be
running on the KDCs.  There do seem to be a thousand-and-one variations
on how to handle this stuff, but most of them are based on the same few
things: aklog, gssklog, klog.

- Ben

-- 
/--
| Ben Staffin
  perpetual nerd  |
                --/