[OpenAFS-port-darwin] aklog During Login with Remote Home Directories

Joseph Jackson jackson@cmu.edu
Fri, 21 Oct 2005 13:48:46 -0400


Our login hook used to do some work as root, then would run "su $1" to 
switch into the context of the user logging in. After that step, you can 
run aklog and the right thing will happen.

Our current approach is to use the aklog code hacked into the format of a 
Kerberos plug-in. That way, AFS tokens are obtained whenever a TGT is 
obtained or renewed. I don't think we have that working in 10.4, though.

Check the documents on this web site for our 10.3 stash of instructions and 
tools:
<http://www.cmu.edu/computing/project/macosx/>

To answer Jim's question, I'm not sure if the aklog in OpenAFS 1.4 does 
Kerberos 4 or not. I'll try to get a definitive answer.

Joe Jackson,
Computing Services,
Carnegie Mellon University.

--On October 21, 2005 8:39:32 AM -0700 Mike Bydalek 
<mbydalek@contentconnections.com> wrote:

> Hello.
>
> I've been testing 1.4-rc8 on OS X 10.4.2 and 10.3.9 for the past few
> days, and so far, everything works beautifully (minus the fact every
> machine needs Xtools to run the packages created ;)
>
> Anyways, I'm now trying to tie it into the Kerberos authentication, which
> seems to be a really grey area.  I've come across the KfM_aklog, but it
> seems like that was written for OpenAFS 1.2, and up to OS X 10.3.  Since
> OpenAFS 1.4 comes with a nice aklog utility, I decided to just try to run
> that on login, but that's where I'm having the problems.
>
> So far I've tried using LoginHooks and edit the loginwindow.plist (which
> I couldn't get to work right).  The LoginHook method looks promising, but
> the problem is that it runs the login script as root.  I'm not 100% sure,
> but it seems that when logging in, it gets the krb5 ticket as root for
> the user, runs the login script (which runs aklog and does get a afs@
> token, according to klist in the script), and then passes it over to the
> user.  When doing so, it loses the afs tokens therefore not allowing
> remote home directories to be accessed.
>
> My big question is, does anyone have a good way to run aklog for the user
> upon logging in?
>
> Any help would be greatly appreciated.
>
> -Mike
> _______________________________________________
> port-darwin mailing list
> port-darwin@openafs.org
> https://lists.openafs.org/mailman/listinfo/port-darwin
>