[OpenAFS-port-darwin] Re: Example of the "correct" way to get tokens for Finder on login...
Keith Johnston
keith@cs.auckland.ac.nz
Thu, 9 Mar 2006 11:12:02 +1300
Hi
I found this page http://tech.ait.iastate.edu/macosx/how-to/
kerberized-login.shtml#10.4 which shows how to get tickets at login,
but it does not get tokens. The apple page
http://docs.info.apple.com/article.html?artnum=107154 has not been
updated yet.
I think there is a security issue relating to LDAP using this
modification to /etc/authorization in 10.4 but I have not heard
anything about it recently.
For OS X 10.3 I have used a kerberos plugin called
aklog.loginLogout but it is not available for OS X 10.4 yet that I
know of. I have not tried to do any PAM stuff with OS X 10.4 so I am
not sure if it will work or not.
Keith
On 9/03/2006, at 10:36 AM, Ernest Prabhakar wrote:
> Hi Everette,
>
> I asked around, and the best way to do this is probably to use some
> sort of hook into loginwindow. The simplest way may be to use PAM
> on Mac OS X. Unfortunately, I'm not sure where the documentation
> for that would be. Here's one possible resource:
>
> http://weblog.bignerdranch.com/?p=6
>
> You might try to find someone who understands PAM., to see if they
> can help. We'll try to take a look, but I can't say for sure when.
>
> Best,
> -- Ernie P.
>
>
> On Mar 7, 2006, at 11:06 AM, Everette Allen wrote:
>
>> Ok so looks like the windows folks are using Windows Login Scripts
>> as the OpenAFS blessed way of getting tokens on login. So my
>> question is what is the OpenAFS blessed way of doing this on MacOS
>> X and can someone post an example that is working for them? The
>> equiv. to windows is of course the login hook set with sudo
>> defaults write /var/root/Library/Preferences/com.apple.loginwindow
>> LoginHook "/private/etc/hooks/login.hook"
>> except I could not get that mechanism to work with aklog
>> Then I follow the suggestion of using system (not user)
>> LaunchAgents from launchd and had some success there(see attached
>> plist) but found that if a user does unlog then logs out (10.4.4
>> at least) they do not get new tokens on the next login unless a
>> different person has logged in or a reboot has happened. Not good
>> either.
>> So what is the "blessed" reliable mechanism? I need to use afs
>> folders as home with 10.4.x on ppc and i386.
>> ----
>>
>> <?xml version="1.0" encoding="UTF-8"?>
>> <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN"
>> "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
>> <plist version="1.0">
>> <dict>
>> <key>Label</key>
>> <string>edu.ncstate.aklog</string>
>> <key>ProgramArguments</key>
>> <array>
>> <string>/usr/bin/aklog</string>
>> <string>-c</string>
>> <string>unity.ncsu.edu</string>
>> <string>-c</string>
>> <string>eos.ncsu.edu</string>
>> <string>-c</string>
>> <string>bp.ncsu.edu</string>
>> </array>
>> <key>RunAtLoad</key>
>> <true/>
>> <key>ServiceDescription</key>
>> <string>gets afs tokens for cells at ncstate</string>
>> </dict>
>> </plist>
>>
>>
>> ----
>> --
>> Everette Gray Allen Systems Programmer II
>> ITD Computing Services Macintosh Support Specialist
>> 2620 Hillsborough St, Campus Box 7109
>> Raleigh, NC 27695-7109 AIM: EveretteAlln
>> 919-515-4558 Everette_Allen@ncsu.edu
>
> _______________________________________________
> port-darwin mailing list
> port-darwin@openafs.org
> https://lists.openafs.org/mailman/listinfo/port-darwin
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Keith Johnston xtn: 87977
Computer Support
Computer Science Department Rm 395
This email is brought to you by the letters OS X and the number 10,4
and 4
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=