[OpenAFS-port-darwin] AFS and pam-krb5 for OSX, summary

Henry B. Hotz hotz@jpl.nasa.gov
Fri, 8 Nov 2002 13:20:42 -0800 

Please do not reply to all the lists on this email.  In particular I 
want to move further discussion off of openafs-info.

CURRENTY WORKING STUFF

OpenAFS 1.2.7 works on OSX.2 providing the usual unix command line utilities.

The built-in kerberos can be configured to work with an AFS kaserver 
by specifying the kerberos 4 realm and servers as usual and 
"string_to_key_type = afs_string_to_key" in the [v4 realms] section.

The built-in kerberos can be invoked on console login by following 
the instructions in Apple KnowledgeBase article 107154 and friends.

There is a kerberos plug-in at 
<http://rescomp.stanford.edu/~akosut/macosx/kfm_aklog.tar.gz> which 
will automatically load/destroy AFS tokens from kerberos tickets 
which appears to do what it should.

The kerberos GUI in /System/Library/CoreServices appears to work fine 
with the above plugin.

WHAT I'D HELP WITH

I have no access to a cell backed with a kerberos V server so I don't 
know if any of this stuff would work there.

sshd and the other unix clients use pam (which the console login 
doesn't) so they don't get kerberos tickets.  I think the aklog 
plugin would work if we just got a kerberos pam, and we don't need an 
AFS pam.

Balazs GAL <balsa@rit.bme.hu> and I have been trading email in an 
attempt to get the Heimdal pam-krb5 working on OSX.2.1.  The current 
hangup is getting the module linked so the pam machinery can load it. 
I'll post more details on port-darwin@openafs.org and 
unix-porting@lists.apple.com.

The OSX screensaver doesn't refresh the kerberos tickets when you 
type in your password.  Is there something in /etc/authorization that 
would fix that?

The kfm_aklog doesn't create a unique PAG so ssh'ing in while the 
console has AFS access inherits the token and allows the ssh user to 
unlog the console.  (We've been living with this problem for a long 
time on other platforms though.)
-- 
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu