[OpenAFS] pam-afs-session on OS X Lion

Derrick Brashear shadow@gmail.com
Tue, 20 Dec 2011 15:56:45 -0500


there's a second stanza the screensaver uses where you need to insert aklog=
.

ticket cache copying i assume is apple's bug, since we don't move it about.

On Tue, Dec 20, 2011 at 2:59 PM, Dave Botsch <botsch@cnf.cornell.edu> wrote=
:
> So, just tried the method in there, using /etc/authorization.
>
> Seems to mostly work... always gets tokens on login (though, still
> seeing that weirdness where the kerberos ticket cache doesn't seem to
> always get copied back over properly... bug in Heimdal, maybe)?
>
> Tickets do refresh on unlocking the screensaver, but tokens do not:
>
>
> =A0 =A0 =A0 =A0<key>authenticate</key>
> =A0 =A0 =A0 =A0<dict>
> =A0 =A0 =A0 =A0 =A0 =A0<key>class</key>
> =A0 =A0 =A0 =A0 =A0 =A0<string>evaluate-mechanisms</string>
> =A0 =A0 =A0 =A0 =A0 =A0<key>mechanisms</key>
> =A0 =A0 =A0 =A0 =A0 =A0<array>
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0<string>builtin:authenticate</string>
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0<string>builtin:reset-password,privileged<=
/string>
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0<string>builtin:authenticate,privileged</s=
tring>
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0<string>builtin:krb5authnoverify,privilege=
d</string>
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0<string>PKINITMechanism:auth,privileged</s=
tring>
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0<string>aklog:cnf.cornell.edu,privileged</=
string>
> =A0 =A0 =A0 =A0 =A0 =A0</array>
> =A0 =A0 =A0 =A0</dict>
>
> On Tue, Dec 20, 2011 at 12:31:32PM -0500, Derrick Brashear wrote:
>> I hear AFS workshops are awesome. You should try one sometime.
>>
>> /afs/your-file-system.com/user/shadow/MacOSTokensAtLogin-Lion.pdf
>>
>> On Tue, Dec 20, 2011 at 12:02 PM, Dave Botsch <botsch@cnf.cornell.edu> w=
rote:
>> > Is there an AFS auth plugin for Lion (presumably, something that is
>> > referenced from /etc/authorization ?).
>> >
>> > On Tue, Dec 20, 2011 at 12:11:32AM -0500, Derrick Brashear wrote:
>> >> Why pam and not an auth plugin?
>> >>
>> >> not that pam is necessarily a bad idea.
>> >>
>> >> On Mon, Dec 19, 2011 at 3:51 PM, Dave Botsch <botsch@cnf.cornell.edu>=
 wrote:
>> >> > Just to clarify, at the moment, I'm not trying to make it work with=
 ssh.
>> >> > I'm working with loginwindow, which makes use of the
>> >> > /etc/pam.d/authorization file .
>> >> >
>> >> > From my initial post, you'll see that pam-afs-session is indeed aft=
er
>> >> > pam_krb5 . You'll also see that the pam-afs-session in the "session=
"
>> >> > section never gets called (some oddity with loginwindow?).
>> >> >
>> >> > On Mon, Dec 19, 2011 at 12:49:42PM -0800, Russ Allbery wrote:
>> >> >> Derrick Brashear <shadow@gmail.com> writes:
>> >> >>
>> >> >> > yeah, that's going to be the issue; the "answer" will either be =
that
>> >> >> > afs_session needs to run after the krb5 module does whichever st=
ep
>> >> >> > writes out the creds for real, or that it will have to learn how=
 to raid
>> >> >> > the temp kcm cache.
>> >> >>
>> >> >> The setcred step in pam_krb5 should do this, and pam_afs_session i=
s always
>> >> >> recommended to be run after pam_krb5 in auth for this reason. =A0M=
aybe Mac
>> >> >> OS X's native pam_krb5 doesn't write the ticket cache out until th=
e
>> >> >> session is created? =A0If so, one fix may be to remove pam_afs_ses=
sion from
>> >> >> the auth stack entirely (although this will break with non-interac=
tive
>> >> >> ssh).
>> >> >>
>> >> >> --
>> >> >> Russ Allbery (rra@stanford.edu) =A0 =A0 =A0 =A0 =A0 =A0 <http://ww=
w.eyrie.org/~eagle/>
>> >> >>
>> >> >
>> >> > --
>> >> > ********************************
>> >> > David William Botsch
>> >> > Programmer/Analyst
>> >> > CNF Computing
>> >> > botsch@cnf.cornell.edu
>> >> > ********************************
>> >> > _______________________________________________
>> >> > OpenAFS-info mailing list
>> >> > OpenAFS-info@openafs.org
>> >> > https://lists.openafs.org/mailman/listinfo/openafs-info
>> >>
>> >>
>> >>
>> >> --
>> >> Derrick
>> >>
>> >
>> > --
>> > ********************************
>> > David William Botsch
>> > Programmer/Analyst
>> > CNF Computing
>> > botsch@cnf.cornell.edu
>> > ********************************
>> > _______________________________________________
>> > OpenAFS-info mailing list
>> > OpenAFS-info@openafs.org
>> > https://lists.openafs.org/mailman/listinfo/openafs-info
>>
>>
>>
>> --
>> Derrick
>>
>
> --
> ********************************
> David William Botsch
> Programmer/Analyst
> CNF Computing
> botsch@cnf.cornell.edu
> ********************************
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info



--=20
Derrick