[OpenAFS] OpenAFS access at login time on MacOS

Richard Feltstykket richard@unixboxen.net
Thu, 11 May 2023 10:20:48 +0000

Hello Everyone,

Perhaps it is widely known already, but I just wanted to share a process that I have worked out to get a kerberos ticket and an afs token at login time on MacOS.  It seems to work fine for MacOS Ventura and Monterey;  I have not tested on other versions.

1) copy a valid krb5.conf file for your realm to /etc/krb5.conf

2) install the Auristor client which is found here:

3) Make sure to allow the Auristor system extension in the security and privacy settings. This will require a reboot of the system.  For all of the systems I have tried it on, you will see a message with something like "rebuilding the extension cache".

4) After the reboot make sure that you can successfully kinit and get a ticket, followed by aklog to get a token.

5) create a user (I always make it an admin) with the same name as your kerberos principal.

6) log into the machine and issue kinit --keychain principal_name .  This stores your password in the keychain, after this, you will get your ticket on login time.

7) in the Auristor preferences, check the boxes:
  	Use aklog
	Get credential at login time.

8) reboot the computer.  Upon login I get prompted for my username and password twice usually.  My cell takes FOREVER to log in for some reason, but after aklog completes in the background, I have a token and can access volumes in the cell.

There is a program in the app store called 'kerberos ticket autorewnewal'.  I have installed it but haven't confirmed its operation.