[OpenAFS-port-darwin] Re: Example of the "correct" way to get tokens for Finder on login...

Nicholas Riley njriley@uiuc.edu
Thu, 9 Mar 2006 13:52:11 -0600


On Thu, Mar 09, 2006 at 02:34:11PM -0500, Everette Allen wrote:
> So first I am aware of Alexei Kosut's (who now works for Apple doing 
> other things) kfm_aklog kerberos plug-in, in fact with permission from 
> Stanford we took this plug-in from the MacLeland work and modified it to 
> do multi-cell authentication as we needed it (ie the equiv of aklog 
> cellone celltwo cellthree).  This plug-in basically re-implements the 
> aklog source code as plug-in to the kerberos plug-in for 
> loginwindow.(whose activation in /private/etc/authorization is still 
> developer material and not updated for 10.4 to date, see 
> http://docs.info.apple.com/article.html?artnum=107154).
> 
> By my count there were no less than three implementations of a kerberos 
> plug-in based on this 
> API:http://web.mit.edu/macdev/KfM/KerberosFramework/KerberosLogin/Documentation/LoginLogoutNotification.html.
> See:
> a)http://akosut.com/software/
> b)https://lists.openafs.org/pipermail/port-darwin/2003-July/000309.html
> c)https://lists.openafs.org/pipermail/port-darwin/2003-July/000308.html

I've been working on getting (c) updated for current OpenAFS versions
and 10.4.  So far my plugin works when I kinit, but the Kerberos 5
native version apparently crashes the process hosting it when I try to
have it run on login.  Because of the way in which this process runs,
I haven't been able to get a stack trace or core dump, so debugging is
rather painful.

A recompile of the older one works, but we're trying to get rid of
gssklog/krb524 stuff here.  For now we're using the
/etc/mach_init_per_user.d trick on our test 10.4 box, but I'm planning
on debugging the login/logout plugin this weekend so we can migrate
our public Macs to 10.4 in the next few weeks.

However, if anyone else has a plugin that works, I don't need to
reinvent the wheel - no need for three pieces of software that do the
same thing.

Somewhat related - does anyone have an /etc/authorization file that
works for Kerberos logins, and preferably other things such as
unlocking the screen saver, System Preferences, Finder, etc.?  The one
I've constructed works in most places but breaks remote SSH logins for
everyone, and it's a tedious process of trial and error to determine
which rules need changing and how.

-- 
Nicholas Riley <njriley@uiuc.edu> | <http://www.uiuc.edu/ph/www/njriley>