[OpenAFS-port-darwin] Kerberos 5 aklog KfM plugin

Ragnar Sundblad ragge@nada.kth.se
Tue, 22 Jul 2003 14:41:45 +0200


Hello Nicholas,

--On den 21 juli 2003 00:54 -0500 Nicholas Riley <njriley@uiuc.edu> wrote:

> I've merged together Alexei Kosut's aklog KfM plugin and the Kerberos
> 5 compatible aklog code from <http://web.mit.edu/openafs/>.  This lets
> users with home directories in AFS log in and receive tokens
> automatically.

I also made a KfM plugin based on the MIT afslog code (to make
it work with Arla too) :-).

That source is here:
<ftp://ftp.nada.kth.se/pub/home/ragge/mosx/afslog-krbafs12.0.0.1d1.src.tgz>

> Unlike Alexei's plugin, this version does not unlog on logout.

(Neither does mine, I am not sure we want to unlog.)

> One anomaly you may notice is that the plugin code runs twice on login
> in two different SecurityAgent processes, failing the first time
> because no Kerberos ticket exists.  These correspond to the two
> mentions of 'krb5:' in /etc/authorization.  I wasn't able to find any
> way to distinguish between the two executions, and since the problem
> does not effect functionality, it should not be a major issue.  If
> anyone knows how I can fix this, I'd be happy to do so.

I don't remember the details right now, (I am on vacation and
can't try it very easily), but at least it _used_ to be so that
the first call from KfM at loginwindow time is as root and
you have to setuid to the user to install the tokens, and
the second I think is as the actual user. I am not sure about
this though, you will have to check, and it of course might
have changed or change in the future.

I did it as you - I let it run twice since it doesn't do any harm.

Best regards,

/ragge