[OpenAFS-port-darwin] So tokens at login with post 10.4 mac os x...

Thu, 25 Oct 2007 12:25:39 -0400

On Oct 24, 2007, at 3:39 PM, Everette Allen wrote:

> So has anyone yet learned how to get tokens at login (or kerberos  
> tickets for that matter) on post 10.4 mac os?  The information in:
> http://docs.info.apple.com/article.html?artnum=107154
> does not seem apply post 10.4.


With this patch, and a valid /Library/Preferences/
edu.mit.Kerberos file, the LoginWindow should accept either the local
password, or kerberos password when logging into a local account.  If
you use your kerberos password, you'll have a valid TGT after login.
FWIW, it appears only to let people in if they already have a local
account.

I've not tried to do anything with tokens yet.

--- /etc/authorization.bak	2007-10-24 16:27:41.000000000 -0400
+++ /etc/authorization	2007-10-24 16:38:45.000000000 -0400
@@ -537,7 +537,7 @@
  				<string>loginwindow:login</string>
  				<string>builtin:reset-password,privileged</string>
  				<string>builtin:auto-login,privileged</string>
-				<string>builtin:authenticate,privileged</string>
+				<string>builtin:krb5authnoverify,privileged</string>
  				<string>HomeDirMechanism:login,privileged</string>
  				<string>HomeDirMechanism:status</string>
  				<string>MCXMechanism:login</string>
@@ -767,7 +767,7 @@
  			<array>
  				<string>builtin:smartcard-sniffer,privileged</string>
  				<string>builtin:authenticate</string>
-				<string>builtin:authenticate,privileged</string>
+				<string>builtin:krb5authnoverify,privileged</string>
  			</array>
  		</dict>
  		<key>authenticate-admin</key>


