[OpenAFS-port-darwin] aklog/afslog at console login and Mac OS
10.2
Ragnar Sundblad
ragge@nada.kth.se
Mon, 07 Oct 2002 17:22:42 +0200
--On den 6 oktober 2002 22:20 -0400 Dan Hyde <drh@umich.edu> wrote:
>> > does anyone have a contact at Apple to either request an afs
>> > authenticator for loginwindow or a pam authenticator for the
>> > loginwindow?
>
> There is a Kerberos one.
If you mean the good ol' next style loginwindow authenticator
plugin that doesn't work as from 10.2, one should use the new
authentication apis instead.
At least that is the information I have got and why I wrote a
kerberos plugin for aklog-ing.
>> Note that any plugin just to loginwindow won't solve the
>> per-uid-tokens problem, since loginwindow is only the parent
>> to CoreServices/pbs. All other user apps (Dock, Finder, etc)
>> are children to WindowServer which isn't PIDly related to
>> neither loginwindow nor the user's SecurityAgent which
>> (currently) is the one running the kerberos plugin at
>> loginwindow time.
>
> Here's the hack I've been using for a long while; the order of steps
> two and three aren't important, but you'd better do step two or it
> won't work. The trick is to get WindowServer to do a setpag, and then
> later, when a child process (login or klog or kinit/aklog) get
> credentials, the apply to all the WindowServer's subprocesses. You can
> verify with id. NB: the first time WindowServer runs, the afs kernel
> extensions aren't there, so you have to login/logout to get a new one.
But to have home directories in AFS one needs tokens right away,
and possibly for all of and maybe even more process trees than
the loginwindow, the windowsserver and the securityagent ones.
This will only fix it for the windowsserver tree, and only if
the user later aklogs. Or did I miss anything?
/ragge