[OpenAFS] pam-afs-session on OS X Lion

Derrick Brashear shadow@gmail.com
Tue, 20 Dec 2011 12:31:32 -0500 

I hear AFS workshops are awesome. You should try one sometime.

/afs/your-file-system.com/user/shadow/MacOSTokensAtLogin-Lion.pdf

On Tue, Dec 20, 2011 at 12:02 PM, Dave Botsch <botsch@cnf.cornell.edu> wrot=
e:
> Is there an AFS auth plugin for Lion (presumably, something that is
> referenced from /etc/authorization ?).
>
> On Tue, Dec 20, 2011 at 12:11:32AM -0500, Derrick Brashear wrote:
>> Why pam and not an auth plugin?
>>
>> not that pam is necessarily a bad idea.
>>
>> On Mon, Dec 19, 2011 at 3:51 PM, Dave Botsch <botsch@cnf.cornell.edu> wr=
ote:
>> > Just to clarify, at the moment, I'm not trying to make it work with ss=
h.
>> > I'm working with loginwindow, which makes use of the
>> > /etc/pam.d/authorization file .
>> >
>> > From my initial post, you'll see that pam-afs-session is indeed after
>> > pam_krb5 . You'll also see that the pam-afs-session in the "session"
>> > section never gets called (some oddity with loginwindow?).
>> >
>> > On Mon, Dec 19, 2011 at 12:49:42PM -0800, Russ Allbery wrote:
>> >> Derrick Brashear <shadow@gmail.com> writes:
>> >>
>> >> > yeah, that's going to be the issue; the "answer" will either be tha=
t
>> >> > afs_session needs to run after the krb5 module does whichever step
>> >> > writes out the creds for real, or that it will have to learn how to=
 raid
>> >> > the temp kcm cache.
>> >>
>> >> The setcred step in pam_krb5 should do this, and pam_afs_session is a=
lways
>> >> recommended to be run after pam_krb5 in auth for this reason. =A0Mayb=
e Mac
>> >> OS X's native pam_krb5 doesn't write the ticket cache out until the
>> >> session is created? =A0If so, one fix may be to remove pam_afs_sessio=
n from
>> >> the auth stack entirely (although this will break with non-interactiv=
e
>> >> ssh).
>> >>
>> >> --
>> >> Russ Allbery (rra@stanford.edu) =A0 =A0 =A0 =A0 =A0 =A0 <http://www.e=
yrie.org/~eagle/>
>> >>
>> >
>> > --
>> > ********************************
>> > David William Botsch
>> > Programmer/Analyst
>> > CNF Computing
>> > botsch@cnf.cornell.edu
>> > ********************************
>> > _______________________________________________
>> > OpenAFS-info mailing list
>> > OpenAFS-info@openafs.org
>> > https://lists.openafs.org/mailman/listinfo/openafs-info
>>
>>
>>
>> --
>> Derrick
>>
>
> --
> ********************************
> David William Botsch
> Programmer/Analyst
> CNF Computing
> botsch@cnf.cornell.edu
> ********************************
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info



--=20
Derrick