[OpenAFS] pam-afs-session on OS X Lion

Dave Botsch botsch@cnf.cornell.edu
Tue, 20 Dec 2011 16:04:01 -0500 

Hmm...
system.login.screensaver is of class rule, not of class
evaluate-mechanisms like system.login.console and authenticate are... so
there are no "mechanisms" in there (maybe one can still add them?)

Makes me wonder, though, why the kerberos ticket renewal still works
there even though that's not specifically in the screensaver.


On Tue, Dec 20, 2011 at 03:56:45PM -0500, Derrick Brashear wrote:
> there's a second stanza the screensaver uses where you need to insert a=
klog.
>=20
> ticket cache copying i assume is apple's bug, since we don't move it ab=
out.
>=20
> On Tue, Dec 20, 2011 at 2:59 PM, Dave Botsch <botsch@cnf.cornell.edu> w=
rote:
> > So, just tried the method in there, using /etc/authorization.
> >
> > Seems to mostly work... always gets tokens on login (though, still
> > seeing that weirdness where the kerberos ticket cache doesn't seem to
> > always get copied back over properly... bug in Heimdal, maybe)?
> >
> > Tickets do refresh on unlocking the screensaver, but tokens do not:
> >
> >
> > =A0 =A0 =A0 =A0<key>authenticate</key>
> > =A0 =A0 =A0 =A0<dict>
> > =A0 =A0 =A0 =A0 =A0 =A0<key>class</key>
> > =A0 =A0 =A0 =A0 =A0 =A0<string>evaluate-mechanisms</string>
> > =A0 =A0 =A0 =A0 =A0 =A0<key>mechanisms</key>
> > =A0 =A0 =A0 =A0 =A0 =A0<array>
> > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0<string>builtin:authenticate</string>
> > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0<string>builtin:reset-password,privile=
ged</string>
> > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0<string>builtin:authenticate,privilege=
d</string>
> > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0<string>builtin:krb5authnoverify,privi=
leged</string>
> > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0<string>PKINITMechanism:auth,privilege=
d</string>
> > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0<string>aklog:cnf.cornell.edu,privileg=
ed</string>
> > =A0 =A0 =A0 =A0 =A0 =A0</array>
> > =A0 =A0 =A0 =A0</dict>
> >
> > On Tue, Dec 20, 2011 at 12:31:32PM -0500, Derrick Brashear wrote:
> >> I hear AFS workshops are awesome. You should try one sometime.
> >>
> >> /afs/your-file-system.com/user/shadow/MacOSTokensAtLogin-Lion.pdf
> >>
> >> On Tue, Dec 20, 2011 at 12:02 PM, Dave Botsch <botsch@cnf.cornell.ed=
u> wrote:
> >> > Is there an AFS auth plugin for Lion (presumably, something that i=
s
> >> > referenced from /etc/authorization ?).
> >> >
> >> > On Tue, Dec 20, 2011 at 12:11:32AM -0500, Derrick Brashear wrote:
> >> >> Why pam and not an auth plugin?
> >> >>
> >> >> not that pam is necessarily a bad idea.
> >> >>
> >> >> On Mon, Dec 19, 2011 at 3:51 PM, Dave Botsch <botsch@cnf.cornell.=
edu> wrote:
> >> >> > Just to clarify, at the moment, I'm not trying to make it work =
with ssh.
> >> >> > I'm working with loginwindow, which makes use of the
> >> >> > /etc/pam.d/authorization file .
> >> >> >
> >> >> > From my initial post, you'll see that pam-afs-session is indeed=
 after
> >> >> > pam_krb5 . You'll also see that the pam-afs-session in the "ses=
sion"
> >> >> > section never gets called (some oddity with loginwindow?).
> >> >> >
> >> >> > On Mon, Dec 19, 2011 at 12:49:42PM -0800, Russ Allbery wrote:
> >> >> >> Derrick Brashear <shadow@gmail.com> writes:
> >> >> >>
> >> >> >> > yeah, that's going to be the issue; the "answer" will either=
 be that
> >> >> >> > afs_session needs to run after the krb5 module does whicheve=
r step
> >> >> >> > writes out the creds for real, or that it will have to learn=
 how to raid
> >> >> >> > the temp kcm cache.
> >> >> >>
> >> >> >> The setcred step in pam_krb5 should do this, and pam_afs_sessi=
on is always
> >> >> >> recommended to be run after pam_krb5 in auth for this reason. =
=A0Maybe Mac
> >> >> >> OS X's native pam_krb5 doesn't write the ticket cache out unti=
l the
> >> >> >> session is created? =A0If so, one fix may be to remove pam_afs=
_session from
> >> >> >> the auth stack entirely (although this will break with non-int=
eractive
> >> >> >> ssh).
> >> >> >>
> >> >> >> --
> >> >> >> Russ Allbery (rra@stanford.edu) =A0 =A0 =A0 =A0 =A0 =A0 <http:=
//www.eyrie.org/~eagle/>
> >> >> >>
> >> >> >
> >> >> > --
> >> >> > ********************************
> >> >> > David William Botsch
> >> >> > Programmer/Analyst
> >> >> > CNF Computing
> >> >> > botsch@cnf.cornell.edu
> >> >> > ********************************
> >> >> > _______________________________________________
> >> >> > OpenAFS-info mailing list
> >> >> > OpenAFS-info@openafs.org
> >> >> > https://lists.openafs.org/mailman/listinfo/openafs-info
> >> >>
> >> >>
> >> >>
> >> >> --
> >> >> Derrick
> >> >>
> >> >
> >> > --
> >> > ********************************
> >> > David William Botsch
> >> > Programmer/Analyst
> >> > CNF Computing
> >> > botsch@cnf.cornell.edu
> >> > ********************************
> >> > _______________________________________________
> >> > OpenAFS-info mailing list
> >> > OpenAFS-info@openafs.org
> >> > https://lists.openafs.org/mailman/listinfo/openafs-info
> >>
> >>
> >>
> >> --
> >> Derrick
> >>
> >
> > --
> > ********************************
> > David William Botsch
> > Programmer/Analyst
> > CNF Computing
> > botsch@cnf.cornell.edu
> > ********************************
> > _______________________________________________
> > OpenAFS-info mailing list
> > OpenAFS-info@openafs.org
> > https://lists.openafs.org/mailman/listinfo/openafs-info
>=20
>=20
>=20
> --=20
> Derrick
>=20

--=20
********************************
David William Botsch
Programmer/Analyst
CNF Computing
botsch@cnf.cornell.edu
********************************