[OpenAFS-port-darwin] AFS Integrated Login on Mac OS X 10.2.4

Joseph Jackson jackson@andrew.cmu.edu
Fri, 14 Mar 2003 11:01:21 -0500 

The loginhook runs as root, not the user logging in, so just tossing an 
"aklog" command in there won't work. The username is provided as an 
argument to the script.

If you just want to get AFS tokens, definitely grab Alexei's Kerberos 
plug-in. Most of the documentation is in the main source file, but it's 
pretty trivial to set up. Building a project in Project Builder is about 
the same as CodeWarrior. Hunt through the menus for the "Build" item.

If you want the loginhook to have the AFS access of the incoming user, you 
need to set the effective UID to that of the user. We use that trick so we 
can set up some pre-defined preferences and such on every login. Our 
preferences are kept in AFS, so we need access to the tokens first. It goes 
something like this, assuming a loginhook written in Perl:

$user = $ARGV[0];
($name,$passwd,$uid,$gid,
 $quota,$comment,$gcos,
 $homedir,$shell,$expire) = getpwnam($user)
    or log_abort "User '$user' not in passwd database";
$) = $gid;
$> = $uid;

We have some of this written up for our current 10.1 students labs. 
Eventually, I'll get it updated with what we've learned about 10.2. Here's 
the URL:

	http://www.cmu.edu/computing/project/macosx/

You can find lots of other information about deploying Mac OS X here, 
including sections on the loginhook:

	http://macosxlabs.org/

Joe Jackson,
Computing Services,
Carnegie Mellon University.

--On Thursday, March 13, 2003 5:29 PM -0500 Bruce Carter <bcarter@nd.edu> 
wrote:

> We're trying to do a similar thing, but we're not going through a
> server, we want the individual stations to authenticate directly.  We
> have LDAP set up with the correct records, but when we get to AFS we
> don't have the proper access.  I've tried running aklog as a command
> file from the LoginHook, but there appears to be some kind of timing
> problem as it doesn't work there.  It works if I manually run it from
> the terminal window after a login.  I'm contemplating heinous deeds  like
> renaming the Finder and calling it from an AppleScript that does a  shell
> script call of aklog.  I would like to try the plugin and will  check the
> reference below, but I would definitely appreciate a hand  with the
> details.  For instance, building the plug-in from the source  might be a
> problem since I've very little experience with the new Apple  tools (I'm
> kind of a CodeWarrior sort of guy, and even that has been a  while).