[OpenAFS] pam-afs-session on OS X Lion
Dave Botsch
botsch@cnf.cornell.edu
Tue, 20 Dec 2011 14:59:17 -0500
So, just tried the method in there, using /etc/authorization.
Seems to mostly work... always gets tokens on login (though, still
seeing that weirdness where the kerberos ticket cache doesn't seem to
always get copied back over properly... bug in Heimdal, maybe)?
Tickets do refresh on unlocking the screensaver, but tokens do not:
<key>authenticate</key>
<dict>
<key>class</key>
<string>evaluate-mechanisms</string>
<key>mechanisms</key>
<array>
<string>builtin:authenticate</string>
<string>builtin:reset-password,privileged</string>
<string>builtin:authenticate,privileged</string>
<string>builtin:krb5authnoverify,privileged</string>
<string>PKINITMechanism:auth,privileged</string>
<string>aklog:cnf.cornell.edu,privileged</string>
</array>
</dict>
On Tue, Dec 20, 2011 at 12:31:32PM -0500, Derrick Brashear wrote:
> I hear AFS workshops are awesome. You should try one sometime.
>=20
> /afs/your-file-system.com/user/shadow/MacOSTokensAtLogin-Lion.pdf
>=20
> On Tue, Dec 20, 2011 at 12:02 PM, Dave Botsch <botsch@cnf.cornell.edu> =
wrote:
> > Is there an AFS auth plugin for Lion (presumably, something that is
> > referenced from /etc/authorization ?).
> >
> > On Tue, Dec 20, 2011 at 12:11:32AM -0500, Derrick Brashear wrote:
> >> Why pam and not an auth plugin?
> >>
> >> not that pam is necessarily a bad idea.
> >>
> >> On Mon, Dec 19, 2011 at 3:51 PM, Dave Botsch <botsch@cnf.cornell.edu=
> wrote:
> >> > Just to clarify, at the moment, I'm not trying to make it work wit=
h ssh.
> >> > I'm working with loginwindow, which makes use of the
> >> > /etc/pam.d/authorization file .
> >> >
> >> > From my initial post, you'll see that pam-afs-session is indeed af=
ter
> >> > pam_krb5 . You'll also see that the pam-afs-session in the "sessio=
n"
> >> > section never gets called (some oddity with loginwindow?).
> >> >
> >> > On Mon, Dec 19, 2011 at 12:49:42PM -0800, Russ Allbery wrote:
> >> >> Derrick Brashear <shadow@gmail.com> writes:
> >> >>
> >> >> > yeah, that's going to be the issue; the "answer" will either be=
that
> >> >> > afs_session needs to run after the krb5 module does whichever s=
tep
> >> >> > writes out the creds for real, or that it will have to learn ho=
w to raid
> >> >> > the temp kcm cache.
> >> >>
> >> >> The setcred step in pam_krb5 should do this, and pam_afs_session =
is always
> >> >> recommended to be run after pam_krb5 in auth for this reason. =A0=
Maybe Mac
> >> >> OS X's native pam_krb5 doesn't write the ticket cache out until t=
he
> >> >> session is created? =A0If so, one fix may be to remove pam_afs_se=
ssion from
> >> >> the auth stack entirely (although this will break with non-intera=
ctive
> >> >> ssh).
> >> >>
> >> >> --
> >> >> Russ Allbery (rra@stanford.edu) =A0 =A0 =A0 =A0 =A0 =A0 <http://w=
ww.eyrie.org/~eagle/>
> >> >>
> >> >
> >> > --
> >> > ********************************
> >> > David William Botsch
> >> > Programmer/Analyst
> >> > CNF Computing
> >> > botsch@cnf.cornell.edu
> >> > ********************************
> >> > _______________________________________________
> >> > OpenAFS-info mailing list
> >> > OpenAFS-info@openafs.org
> >> > https://lists.openafs.org/mailman/listinfo/openafs-info
> >>
> >>
> >>
> >> --
> >> Derrick
> >>
> >
> > --
> > ********************************
> > David William Botsch
> > Programmer/Analyst
> > CNF Computing
> > botsch@cnf.cornell.edu
> > ********************************
> > _______________________________________________
> > OpenAFS-info mailing list
> > OpenAFS-info@openafs.org
> > https://lists.openafs.org/mailman/listinfo/openafs-info
>=20
>=20
>=20
> --=20
> Derrick
>=20
--=20
********************************
David William Botsch
Programmer/Analyst
CNF Computing
botsch@cnf.cornell.edu
********************************