[OpenAFS-port-darwin] aklog/afslog at console login and Mac OS 10.2

David Botsch dwb7@ccmr.cornell.edu
Tue, 8 Oct 2002 11:53:35 -0400


We are going to use the pagsh trick with window server to get a pag, 
and then use the aklog trick to get tokens with kerb auth.
On 2002.10.07 20:52 Ragnar Sundblad wrote:
> 
> 
> --On den 7 oktober 2002 19:48 -0400 David Botsch 
> <dwb7@ccmr.cornell.edu> wrote:
> 
>> So, your trick sets up a pagsh for the windowserver (under which
>> loginwindow runs, etc). Now, what happens to that pagsh when the
>> loginwindow decides to become the user as which someone has logged 
>> in?
>> You seemt to imply that essentially a su user takes place?
>> 
>> Add to the above a kerberos login plugin similar to what was posted 
>> that
>> just does an aklog, and we have tokens now. But, is it too late as 
>> far as
>> afs home directories are concerned, here?
>> 
>> You also mention afs kernel extensions not being present during the 
>> first
>> login. Aren't these loaded when the startupscript starts afs as the 
>> Mac
>> OS X machine starts?
>> 
>> As much as I hate to say this, are there any replacements out there 
>> for
>> loginwindow? For instance, it would be great to just be able to pop 
>> in
>> gdm, have gdm auth with pam, then go into a normal OS X gui session.
> 
> Note: I was not the one suggesting the pagsh script trick, I don't 
> think
> it will cut it for afs based homedirs, while the loginLogout extension
> does, that I have tried.
> (Though I have considered something similar but from within init so 
> that
> both loginwindow and windowmanager could share a pag. I still don't 
> know
> if that is enough, maybe other services would need to share the pag 
> too,
> that is why I say that the only maybe safe way to do this currently is
> with per-uid-tokens (still not completely safe, though, the 
> SecurityAgent
> is running as root, and if that wants to write in the users' home dir
> it is smoked.)
> 
> Please refer to earlier posts to catch up on the discussion.
> 
> /ragge
> 
> 
> _______________________________________________
> port-darwin mailing list
> port-darwin@openafs.org
> https://lists.openafs.org/mailman/listinfo/port-darwin

-- 
********************************
David William Botsch
Consultant/Advisor II
CCMR Computing Facility
dwb7@ccmr.cornell.edu
********************************