[OpenAFS-port-darwin] aklog/afslog at console login and Mac OS 10.2
Dan Hyde
Dan Hyde <drh@umich.edu>
Sun, 06 Oct 2002 22:20:48 -0400
> > does anyone have a contact at Apple to either request an afs
> > authenticator for loginwindow or a pam authenticator for the loginwindow?
There is a Kerberos one.
> Note that any plugin just to loginwindow won't solve the
> per-uid-tokens problem, since loginwindow is only the parent
> to CoreServices/pbs. All other user apps (Dock, Finder, etc)
> are children to WindowServer which isn't PIDly related to
> neither loginwindow nor the user's SecurityAgent which
> (currently) is the one running the kerberos plugin at
> loginwindow time.
Here's the hack I've been using for a long while; the order of steps
two and three aren't important, but you'd better do step two or it
won't work. The trick is to get WindowServer to do a setpag, and then
later, when a child process (login or klog or kinit/aklog) get
credentials, the apply to all the WindowServer's subprocesses. You can
verify with id. NB: the first time WindowServer runs, the afs kernel
extensions aren't there, so you have to login/logout to get a new one.
0) cd /System/Library/CoreServices/
1) mv WindowServer WindowServer.real
2) touch WindowServer; chmod +x WindowServer
3) cat << EOF > WindowServer
#!/bin/sh
case $# in
0)
if /usr/bin/pagsh -c /usr/bin/true
then
exec /usr/bin/pagsh -c "/System/Library/CoreServices/WindowServer.real"
else
exec "/System/Library/CoreServices/WindowServer.real"
fi
;;
*)
if /usr/bin/pagsh -c /usr/bin/true
then
exec /usr/bin/pagsh -c "/System/Library/CoreServices/WindowServer.real $*"
else
exec "/System/Library/CoreServices/WindowServer.real" "$@"
fi
;;
esac
EOF
Enjoy!