[OpenAFS-port-darwin] Re: Example of the "correct" way to get
tokens for Finder on login...
Everette Allen
Everette_Allen@ncsu.edu
Thu, 09 Mar 2006 14:34:11 -0500
Ok folks lets **really** talk about this:
So first I am aware of Alexei Kosut's (who now works for Apple doing
other things) kfm_aklog kerberos plug-in, in fact with permission from
Stanford we took this plug-in from the MacLeland work and modified it to
do multi-cell authentication as we needed it (ie the equiv of aklog
cellone celltwo cellthree). This plug-in basically re-implements the
aklog source code as plug-in to the kerberos plug-in for
loginwindow.(whose activation in /private/etc/authorization is still
developer material and not updated for 10.4 to date, see
http://docs.info.apple.com/article.html?artnum=107154).
By my count there were no less than three implementations of a kerberos
plug-in based on this
API:http://web.mit.edu/macdev/KfM/KerberosFramework/KerberosLogin/Documentation/LoginLogoutNotification.html.
See:
a)http://akosut.com/software/
b)https://lists.openafs.org/pipermail/port-darwin/2003-July/000309.html
c)https://lists.openafs.org/pipermail/port-darwin/2003-July/000308.html
None of these were ever rolled into the afs source tree as "blessed" by
the afs comunity to my knowledge nor did Apple ever say it "blessed" or
would continue to support this method of using LoginLogooutNotification
API for this function.
A member of my team asked about updating Kosut's plug-in to V5:
http://mailman.mit.edu/pipermail/krbdev/2004-February/002278.html
with some feedback from Alexandra but that work never got done AFAICT.
And what happened with this thread:
http://lists.openafs.org/pipermail/openafs-devel/2005-February/011597.html
?? Looks like Ken H. killed the patches but should they be reconsidered
now?
Note the last time this community had this discussion via this thread
with no conclusive outcome:
https://lists.openafs.org/pipermail/port-darwin/2002-October/000112.html
Also as of 10.4.x looks like some of the kerberos work, running the
kerberos agent per user is done with mach_init see
/private/etc/mach_init_per_user.d/KerberosAgent.plist.
At the suggestion of some 3rd parties I have been able to use this
mechanism to do aklog cellone celltwo cellthree with good results but
this does not seem to secure tokens at logout the way Kosut's plug-in does.
So back to the real question... the window folks have a "blessed" by the
openafs community and MS mechanism to acquire tokens usable to the gui
and the MacOS platform does not, what do we need/want and how do we go
about getting to this point? Right now we have a mishmash of cobbled
together mechanisms which may or may not survive even minor OS updates
and that needs to change...
> Sly Upah wrote:
> FWIW, it execs aklog as the user so it does get tokens.
> Regards,
> Sly
>
> Keith Johnston wrote:
> Hi
> I found this page
> http://tech.ait.iastate.edu/macosx/how-to/kerberized-login.shtml#10.4
> which shows how to get tickets at login, but it does not get tokens. The
> apple page
> http://docs.info.apple.com/article.html?artnum=107154 has not been
> updated yet.
> I think there is a security issue relating to LDAP using this
> modification to /etc/authorization in 10.4 but I have not heard
> anything about it recently.
> For OS X 10.3 I have used a kerberos plugin called
> aklog.loginLogout but it is not available for OS X 10.4 yet that I know
> of. I have not tried to do any PAM stuff with OS X 10.4 so I am not sure
> if it will work or not.
>
> Keith
>
> On 9/03/2006, at 10:36 AM, Ernest Prabhakar wrote:
>
>> Hi Everette,
>>
>> I asked around, and the best way to do this is probably to use some
>> sort of hook into loginwindow. The simplest way may be to use PAM on
>> Mac OS X. Unfortunately, I'm not sure where the documentation for that
>> would be. Here's one possible resource:
>>
>> http://weblog.bignerdranch.com/?p=6
>>
>> You might try to find someone who understands PAM., to see if they can
>> help. We'll try to take a look, but I can't say for sure when.
>>
>> Best,
>> -- Ernie P.
>>
>>
>> On Mar 7, 2006, at 11:06 AM, Everette Allen wrote:
>>
>>> Ok so looks like the windows folks are using Windows Login Scripts as
>>> the OpenAFS blessed way of getting tokens on login. So my question
>>> is what is the OpenAFS blessed way of doing this on MacOS X and can
>>> someone post an example that is working for them? The equiv. to
>>> windows is of course the login hook set with sudo defaults write
>>> /var/root/Library/Preferences/com.apple.loginwindow LoginHook
>>> "/private/etc/hooks/login.hook"
>>> except I could not get that mechanism to work with aklog
>>> Then I follow the suggestion of using system (not user) LaunchAgents
>>> from launchd and had some success there(see attached plist) but found
>>> that if a user does unlog then logs out (10.4.4 at least) they do not
>>> get new tokens on the next login unless a different person has logged
>>> in or a reboot has happened. Not good either.
>>> So what is the "blessed" reliable mechanism? I need to use afs
>>> folders as home with 10.4.x on ppc and i386.
>>> ----
>>>
>>> <?xml version="1.0" encoding="UTF-8"?>
>>> <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN"
>>> "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
>>> <plist version="1.0">
>>> <dict>
>>> <key>Label</key>
>>> <string>edu.ncstate.aklog</string>
>>> <key>ProgramArguments</key>
>>> <array>
>>> <string>/usr/bin/aklog</string>
>>> <string>-c</string>
>>> <string>unity.ncsu.edu</string>
>>> <string>-c</string>
>>> <string>eos.ncsu.edu</string>
>>> <string>-c</string>
>>> <string>bp.ncsu.edu</string>
>>> </array>
>>> <key>RunAtLoad</key>
>>> <true/>
>>> <key>ServiceDescription</key>
>>> <string>gets afs tokens for cells at ncstate</string>
>>> </dict>
>>> </plist>
>>>
>>>
>>> ----
>>> --Everette Gray Allen Systems Programmer II
>>> ITD Computing Services Macintosh Support Specialist
>>> 2620 Hillsborough St, Campus Box 7109
>>> Raleigh, NC 27695-7109 AIM: EveretteAlln
>>> 919-515-4558 Everette_Allen@ncsu.edu
>>
>> _______________________________________________
>> port-darwin mailing list
>> port-darwin@openafs.org
>> https://lists.openafs.org/mailman/listinfo/port-darwin
>
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> Keith Johnston xtn: 87977
> Computer Support
> Computer Science Department Rm 395
>
> This email is brought to you by the letters OS X and the number 10,4
> and 4
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
>
>
--
Everette Gray Allen Systems Programmer II
ITD Computing Services Macintosh Support Specialist
2620 Hillsborough St, Campus Box 7109
Raleigh, NC 27695-7109 AIM: EveretteAlln
919-515-4558 Everette_Allen@ncsu.edu