[OpenAFS-port-darwin] Re: So tokens at login with post 10.4 mac os x...

Tom Farwig tom_farwig@ncsu.edu
Tue, 04 Dec 2007 18:27:32 -0500 

Everette and I have been able to get it to work with launchd in Leopard, 
and it appears to even work if you are using AFS for your user home 
directories.  The launch agent would need to be stored in:

   /Library/LaunchAgents/

I used Lingon (http://lingon.sourceforge.net/) to create it as a Users 
Agent, which stores it in the right place automatically.  Using the 
example you gave below, you would create a new Users Agent, give it a 
name (section 1 in Lingon) for example edu.mit.getafstokens, enter the 
following command (section 2 in Lingon):

   /usr/bin/aklog -cell athena.mit.edu soap.mit.edu dev.mit.edu 
net.mit.edu sipb.mit.edu lees.mit.edu

Then in section 3, check the box where it says "Run it when it is loaded
by the system (at login or startup)".

The resulting plist file would look something like this:

(/Library/LaunchAgents/edu.mit.getafstokens.plist)

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>Label</key>
	<string>edu.mit.getafstokens</string>
	<key>ProgramArguments</key>
	<array>
		<string>/usr/bin/aklog</string>
		<string>-cell</string>
		<string>athena.mit.edu</string>
		<string>soap.mit.edu</string>
		<string>dev.mit.edu</string>
		<string>net.mit.edu</string>
		<string>sipb.mit.edu</string>
		<string>lees.mit.edu</string>
	</array>
	<key>RunAtLoad</key>
	<true/>
</dict>
</plist>

This assumes you are getting kerberos tickets at login with the mods you 
mentioned to /etc/authorization.

In the past we had been using the loginLogout plugin, but it does not 
appear to work under Leopard.

Because this is a "Users Agent" it runs at login and runs as the user 
instead of running as root, so you don't have to use su to change to the 
user.  You could also call a script instead of directly calling aklog, 
which might be a better choice if you want to get your cell list from a 
config file instead of hard coding it.

-Tom

port-darwin-request@openafs.org wrote:
> Send port-darwin mailing list submissions to
> 	port-darwin@openafs.org
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> 	https://lists.openafs.org/mailman/listinfo/port-darwin
> or, via email, send a message with subject or body 'help' to
> 	port-darwin-request@openafs.org
> 
> You can reach the person managing the list at
> 	port-darwin-admin@openafs.org
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of port-darwin digest..."
> 
> 
> Today's Topics:
> 
>    1. Re: port-darwin digest, Vol 1 #463 - 9 msgs (Duncan Kincaid)
> 
> --__--__--
> 
> Message: 1
> From: Duncan Kincaid <dsk@MIT.EDU>
> To: port-darwin@openafs.org
> Date: Thu, 15 Nov 2007 12:43:06 -0500
> Subject: [OpenAFS-port-darwin] Re: port-darwin digest, Vol 1 #463 - 9 msgs
> 
> We have our Mac users authenticate against KDC, then have their home  
> directories on AFS  mounted.
> For the Kerberos tickets piece we edit /etc/authorization as described  
> below.
> For the AFS tokens piece, we have a loginhook shell script run as  
> described below.
> For informing users of expiring tickets/tokens (and option to renew),  
> we have a shell script managed by launchd LaunchAgent running in  
> background.
> 
> All this is for OS X 10.4. Leopard (OS X10.5 ) differs only in the  
> editing of /etc/authorization
> 
> TICKETS AT LOGIN
> edit /etc/authorization
> 		1. find section denoted by <key>system.login.console</key>
> 		2. within that section, replace <string>authinternal</string> with  
> <string>builtin:krb5authnoverify,privileged</string>
> 
> TOKENS AT LOGIN
>   need run loginhook script in order to get user's afs tokens at login  
> (otherwise home directory obtained through the Directory Access->LDAP  
> lookup is mounted READ only)
> 	1. at the minimum, the loginhook script must look like this. (ours  
> does a few other nice things besides which is not shown for clarity).
> 				#!/bin/bash
> 				`su "$1" -c /usr/bin/aklog -cell <yourAFScellnamehere>`
> 
> 	EXAMPLE: `su "$1" -c /usr/bin/'aklog -cell athena.mit.edu  
> soap.mit.edu dev.mit.edu net.mit.edu sipb.mit.edu lees.mit.edu'`
> 
> 
> best,
> Duncan Kincaid
> MIT Urban Studies and Planning
> 
> 


-- 
Tom Farwig
Technology Support Specialist
NC State University, Office of Information Technology
(919)513-4094 | tom_farwig@ncsu.edu