[OpenAFS-port-darwin] Re: port-darwin digest, Vol 1 #359 - 3 msgs
Jeff Kopmanis
kopmanis@umich.edu
Thu, 9 Mar 2006 14:35:01 -0500
We've been experimenting with a version of the aklog plugin, and once
compiled under Tiger, its been behaving well. We probably won't
release it, because we've an odd situation here at Michigan that
isn't generally useful. I'd be glad to pass the plugin on to
interested parties if they wish.
-Jeff.
---- University of Michigan Department of Mathematics ----
Jeff Kopmanis, IT Manager & Head Javelin Catcher
B736 East Hall, 530 Church St, Ann Arbor, MI 48109-1043
Office: 734-615-6038 http://www.umich.edu/~kopmanis
On Mar 9, 2006, at 12:01 PM, port-darwin-request@openafs.org wrote:
> Send port-darwin mailing list submissions to
> port-darwin@openafs.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.openafs.org/mailman/listinfo/port-darwin
> or, via email, send a message with subject or body 'help' to
> port-darwin-request@openafs.org
>
> You can reach the person managing the list at
> port-darwin-admin@openafs.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of port-darwin digest..."
>
>
> Today's Topics:
>
> 1. Re: Example of the "correct" way to get tokens for Finder on
> login... (Ernest Prabhakar)
> 2. Re: Re: Example of the "correct" way to get tokens for Finder
> on login... (Keith Johnston)
> 3. aklog.loginLogout plugin (Keith Johnston)
>
> --__--__--
>
> Message: 1
> Cc: port-darwin@openafs.org, Francis Shepherd <shepherd@apple.com>
> From: Ernest Prabhakar <prabhaka@apple.com>
> Date: Wed, 8 Mar 2006 13:36:38 -0800
> To: Everette Allen <Everette_Allen@ncsu.edu>
> Subject: [OpenAFS-port-darwin] Re: Example of the "correct" way to
> get tokens for Finder on login...
>
> Hi Everette,
>
> I asked around, and the best way to do this is probably to use some
> sort of hook into loginwindow. The simplest way may be to use PAM on
> Mac OS X. Unfortunately, I'm not sure where the documentation for
> that would be. Here's one possible resource:
>
> http://weblog.bignerdranch.com/?p=6
>
> You might try to find someone who understands PAM., to see if they
> can help. We'll try to take a look, but I can't say for sure when.
>
> Best,
> -- Ernie P.
>
>
> On Mar 7, 2006, at 11:06 AM, Everette Allen wrote:
>
>> Ok so looks like the windows folks are using Windows Login Scripts
>> as the OpenAFS blessed way of getting tokens on login. So my
>> question is what is the OpenAFS blessed way of doing this on MacOS
>> X and can someone post an example that is working for them? The
>> equiv. to windows is of course the login hook set with sudo
>> defaults write /var/root/Library/Preferences/com.apple.loginwindow
>> LoginHook "/private/etc/hooks/login.hook"
>> except I could not get that mechanism to work with aklog
>> Then I follow the suggestion of using system (not user)
>> LaunchAgents from launchd and had some success there(see attached
>> plist) but found that if a user does unlog then logs out (10.4.4 at
>> least) they do not get new tokens on the next login unless a
>> different person has logged in or a reboot has happened. Not good
>> either.
>> So what is the "blessed" reliable mechanism? I need to use afs
>> folders as home with 10.4.x on ppc and i386.
>> ----
>>
>> <?xml version="1.0" encoding="UTF-8"?>
>> <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN"
>> "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
>> <plist version="1.0">
>> <dict>
>> <key>Label</key>
>> <string>edu.ncstate.aklog</string>
>> <key>ProgramArguments</key>
>> <array>
>> <string>/usr/bin/aklog</string>
>> <string>-c</string>
>> <string>unity.ncsu.edu</string>
>> <string>-c</string>
>> <string>eos.ncsu.edu</string>
>> <string>-c</string>
>> <string>bp.ncsu.edu</string>
>> </array>
>> <key>RunAtLoad</key>
>> <true/>
>> <key>ServiceDescription</key>
>> <string>gets afs tokens for cells at ncstate</string>
>> </dict>
>> </plist>
>>
>>
>> ----
>> --
>> Everette Gray Allen Systems Programmer II
>> ITD Computing Services Macintosh Support Specialist
>> 2620 Hillsborough St, Campus Box 7109
>> Raleigh, NC 27695-7109 AIM: EveretteAlln
>> 919-515-4558 Everette_Allen@ncsu.edu
>
>
> --__--__--
>
> Message: 2
> Cc: Everette Allen <Everette_Allen@ncsu.edu>,
> port-darwin@openafs.org, Francis Shepherd <shepherd@apple.com>
> From: Keith Johnston <keith@cs.auckland.ac.nz>
> Date: Thu, 9 Mar 2006 11:12:02 +1300
> To: Ernest Prabhakar <prabhaka@apple.com>
> Subject: Re: [OpenAFS-port-darwin] Re: Example of the "correct" way
> to get tokens for Finder on login...
>
> Hi
> I found this page http://tech.ait.iastate.edu/macosx/how-to/
> kerberized-login.shtml#10.4 which shows how to get tickets at login,
> but it does not get tokens. The apple page
> http://docs.info.apple.com/article.html?artnum=107154 has not been
> updated yet.
> I think there is a security issue relating to LDAP using this
> modification to /etc/authorization in 10.4 but I have not heard
> anything about it recently.
> For OS X 10.3 I have used a kerberos plugin called
> aklog.loginLogout but it is not available for OS X 10.4 yet that I
> know of. I have not tried to do any PAM stuff with OS X 10.4 so I am
> not sure if it will work or not.
>
> Keith
>
> On 9/03/2006, at 10:36 AM, Ernest Prabhakar wrote:
>
>> Hi Everette,
>>
>> I asked around, and the best way to do this is probably to use some
>> sort of hook into loginwindow. The simplest way may be to use PAM
>> on Mac OS X. Unfortunately, I'm not sure where the documentation
>> for that would be. Here's one possible resource:
>>
>> http://weblog.bignerdranch.com/?p=6
>>
>> You might try to find someone who understands PAM., to see if they
>> can help. We'll try to take a look, but I can't say for sure when.
>>
>> Best,
>> -- Ernie P.
>>
>>
>> On Mar 7, 2006, at 11:06 AM, Everette Allen wrote:
>>
>>> Ok so looks like the windows folks are using Windows Login Scripts
>>> as the OpenAFS blessed way of getting tokens on login. So my
>>> question is what is the OpenAFS blessed way of doing this on MacOS
>>> X and can someone post an example that is working for them? The
>>> equiv. to windows is of course the login hook set with sudo
>>> defaults write /var/root/Library/Preferences/com.apple.loginwindow
>>> LoginHook "/private/etc/hooks/login.hook"
>>> except I could not get that mechanism to work with aklog
>>> Then I follow the suggestion of using system (not user)
>>> LaunchAgents from launchd and had some success there(see attached
>>> plist) but found that if a user does unlog then logs out (10.4.4
>>> at least) they do not get new tokens on the next login unless a
>>> different person has logged in or a reboot has happened. Not good
>>> either.
>>> So what is the "blessed" reliable mechanism? I need to use afs
>>> folders as home with 10.4.x on ppc and i386.
>>> ----
>>>
>>> <?xml version="1.0" encoding="UTF-8"?>
>>> <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN"
>>> "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
>>> <plist version="1.0">
>>> <dict>
>>> <key>Label</key>
>>> <string>edu.ncstate.aklog</string>
>>> <key>ProgramArguments</key>
>>> <array>
>>> <string>/usr/bin/aklog</string>
>>> <string>-c</string>
>>> <string>unity.ncsu.edu</string>
>>> <string>-c</string>
>>> <string>eos.ncsu.edu</string>
>>> <string>-c</string>
>>> <string>bp.ncsu.edu</string>
>>> </array>
>>> <key>RunAtLoad</key>
>>> <true/>
>>> <key>ServiceDescription</key>
>>> <string>gets afs tokens for cells at ncstate</string>
>>> </dict>
>>> </plist>
>>>
>>>
>>> ----
>>> --
>>> Everette Gray Allen Systems Programmer II
>>> ITD Computing Services Macintosh Support Specialist
>>> 2620 Hillsborough St, Campus Box 7109
>>> Raleigh, NC 27695-7109 AIM: EveretteAlln
>>> 919-515-4558 Everette_Allen@ncsu.edu
>>
>> _______________________________________________
>> port-darwin mailing list
>> port-darwin@openafs.org
>> https://lists.openafs.org/mailman/listinfo/port-darwin
>
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> Keith Johnston xtn: 87977
> Computer Support
> Computer Science Department Rm 395
>
> This email is brought to you by the letters OS X and the number 10,4
> and 4
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
>
>
>
> --__--__--
>
> Message: 3
> To: port-darwin@openafs.org
> From: Keith Johnston <keith@cs.auckland.ac.nz>
> Date: Thu, 9 Mar 2006 11:24:28 +1300
> Subject: [OpenAFS-port-darwin] aklog.loginLogout plugin
>
> I believe Alexei Kosut is the authour of the plugin, but I am not
> sure if he is still working on it.
>
> Keith
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> Keith Johnston xtn: 87977
> Computer Support
> Computer Science Department Rm 395
>
> This email is brought to you by the letters OS X and the number 10,4
> and 4
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
>
>
>
>
> --__--__--
>
> _______________________________________________
> port-darwin mailing list
> port-darwin@openafs.org
> https://lists.openafs.org/mailman/listinfo/port-darwin
>
>
> End of port-darwin Digest