[OpenAFS] pam-afs-session on OS X Lion

Dave Botsch botsch@cnf.cornell.edu
Tue, 20 Dec 2011 12:02:01 -0500 

Is there an AFS auth plugin for Lion (presumably, something that is
referenced from /etc/authorization ?).

On Tue, Dec 20, 2011 at 12:11:32AM -0500, Derrick Brashear wrote:
> Why pam and not an auth plugin?
>=20
> not that pam is necessarily a bad idea.
>=20
> On Mon, Dec 19, 2011 at 3:51 PM, Dave Botsch <botsch@cnf.cornell.edu> w=
rote:
> > Just to clarify, at the moment, I'm not trying to make it work with s=
sh.
> > I'm working with loginwindow, which makes use of the
> > /etc/pam.d/authorization file .
> >
> > From my initial post, you'll see that pam-afs-session is indeed after
> > pam_krb5 . You'll also see that the pam-afs-session in the "session"
> > section never gets called (some oddity with loginwindow?).
> >
> > On Mon, Dec 19, 2011 at 12:49:42PM -0800, Russ Allbery wrote:
> >> Derrick Brashear <shadow@gmail.com> writes:
> >>
> >> > yeah, that's going to be the issue; the "answer" will either be th=
at
> >> > afs_session needs to run after the krb5 module does whichever step
> >> > writes out the creds for real, or that it will have to learn how t=
o raid
> >> > the temp kcm cache.
> >>
> >> The setcred step in pam_krb5 should do this, and pam_afs_session is =
always
> >> recommended to be run after pam_krb5 in auth for this reason. =A0May=
be Mac
> >> OS X's native pam_krb5 doesn't write the ticket cache out until the
> >> session is created? =A0If so, one fix may be to remove pam_afs_sessi=
on from
> >> the auth stack entirely (although this will break with non-interacti=
ve
> >> ssh).
> >>
> >> --
> >> Russ Allbery (rra@stanford.edu) =A0 =A0 =A0 =A0 =A0 =A0 <http://www.=
eyrie.org/~eagle/>
> >>
> >
> > --
> > ********************************
> > David William Botsch
> > Programmer/Analyst
> > CNF Computing
> > botsch@cnf.cornell.edu
> > ********************************
> > _______________________________________________
> > OpenAFS-info mailing list
> > OpenAFS-info@openafs.org
> > https://lists.openafs.org/mailman/listinfo/openafs-info
>=20
>=20
>=20
> --=20
> Derrick
>=20

--=20
********************************
David William Botsch
Programmer/Analyst
CNF Computing
botsch@cnf.cornell.edu
********************************