[OpenAFS] Aklog at login in MacOS 10.8

Steve Gaarder gaarder1@math.cornell.edu
Wed, 14 Nov 2012 15:59:58 -0500 (EST) 

I finally figured out how to set up MacOS Mountain Lion so that all users 
get an automatic kinit and aklog at login, and thus can have home 
directories in AFS.  AFSBackgrounder doesn't do the job because it has to 
be configured for each user, and needs access to the home directories 
before it gets the token.

I got Kerberos to get a usable ticket by properly configuring 
/Library/Preferences/edu.mit.Kerberos and modifying 
/etc/pam.d/authorization so that the first non-comment line looks like:

auth       sufficient     pam_krb5.so use_first_pass default_principal

This creates a credential cache, and gives it a random name, but does not 
put that name in the environment.  So I wrote a Perl script that looks in 
/tmp for the most recent CC file for the user, puts that path into the 
environment, and runs aklog.  I put a plist file in /Library/LaunchAgents 
to run it.  The source for those is at the end of this message.

We use LDAP for authorization, set up through the directory utility. Since 
we use plain unauthenticated LDAP, we needed to disable fancy 
authentication as shown here:

http://blog.smalleycreative.com/administration/fixing-openldap-authentication-on-os-x-lion/

Hope this proves useful for others.

Steve Gaarder
System Administrator, Dept of Mathematics
Cornell University, Ithaca, NY, USA
gaarder@math.cornell.edu

---------Perl Script /usr/local/sbin/afsaklog.pl------------

#!/usr/bin/perl

$me = $ENV{'LOGNAME'};
chdir "/tmp";

$thetime = 0;
$thefile = "";
$myuid = getpwnam($me);

while (<krb5cc*>) {

($dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$size,$atime,$mtime,$ctime,$blksize,$blocks) = stat($_);
     if (($uid == $myuid) && ($thetime < $mtime)) {
 	$thetime = $mtime;
 	$thefile = $_;
     }
}
if ($thefile ne "") {
     $ENV{'KRB5CCNAME'} = "/tmp/$thefile";
     system("aklog");
}

--------/Library/LaunchAgents/edu.cornell.math.loginhook.plist--------

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>edu.cornell.math.loginhook</string>
    <key>Program</key>
    <string>/usr/local/sbin/afsaklog.pl</string>
    <key>RunAtLoad</key>
    <true/>
</dict>
</plist>