[OpenAFS-port-darwin] Re: OpenAFS 1.6.1: aklog AuthorizationPlugin Hangs for Local Users
Duncan S Kincaid
dsk@MIT.EDU
Wed, 6 Jun 2012 12:04:31 +0000
--Apple-Mail-7--100182429
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=us-ascii
derrick, thank you for looking into this.
your latest aklog bundle crashes loginwindow seconds after credentials =
are entered,
this is true for both local and remote users under OS X 10.7.4.
from system log (following attempt by remote user 'crntest'):
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Jun 6 07:12:23 dsk SecurityAgent[612]: User info context values set for =
crntest
Jun 6 07:12:23 dsk SecurityAgent[612]: Login Window login proceeding
Jun 6 07:12:23 dsk =
com.apple.authorizationhost.00000000-0000-0000-0000-0000000186B3[615]: =
aklog: Couldn't get athena.mit.edu AFS tickets:
Jun 6 07:12:23 dsk =
com.apple.authorizationhost.00000000-0000-0000-0000-0000000186B3[615]: =
aklog:=20
Jun 6 07:12:23 dsk =
com.apple.authorizationhost.00000000-0000-0000-0000-0000000186B3[615]: =
unknown RPC error (-1765328243) while getting AFS tickets
Jun 6 07:12:23 dsk loginwindow[603]: Login Window - Returned from =
Security Agent
Jun 6 07:12:24 dsk loginwindow[603]: AuthorizationRef doesn't have a =
username (<LoginAuthRefMgr: 0x7fcdb151ed90>). Exiting.
Jun 6 07:12:24 dsk com.apple.loginwindow[603]: AuthorizationRef doesn't =
have a username (<LoginAuthRefMgr: 0x7fcdb151ed90>). Exiting.
Jun 6 07:12:24 dsk com.apple.launchd[1] (com.apple.loginwindow): =
Throttling respawn: Will start in 2 seconds
Jun 6 07:12:26 dsk loginwindow[617]: Login Window Application Started
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
the aklog bundle included in latest OpenAFS client for Lion does not =
crash loginwindow,
but it does leave spinning gear after entering credentials in login =
window.
sanity check (as i may be doing something very stupid):
1. my /etc/pam.d/authorization:
# authorization: auth account
auth optional pam_krb5.so use_first_pass use_kcminit =
default_principal
auth optional pam_ntlm.so use_first_pass
auth required pam_opendirectory.so use_first_pass nullok
account required pam_opendirectory.so
2. i can confirm (through secure.log) that i am getting tickets once =
entering credentials in login window.
as well, if i remove invocation of aklog.bundle (all versions) and use a =
LoginHook script for the aklog
all works fine (except for about 10% of the time under Lion (when =
credentials cache cannot be found?),
hence my interest in using aklog.bundle.)
3. my /etc/authorization looks like this:
<key>system.login.console</key>
<dict>
<key>class</key>
<string>evaluate-mechanisms</string>
<key>comment</key>
<string>Login mechanism based rule. Not for =
general use, yet.</string>
<key>mechanisms</key>
<array>
<string>builtin:policy-banner</string>
<string>loginwindow:login</string>
=
<string>builtin:reset-password,privileged</string>
=
<string>builtin:forward-login,privileged</string>
=
<string>builtin:auto-login,privileged</string>
=
<string>builtin:authenticate,privileged</string>
=
<string>PKINITMechanism:auth,privileged</string>
<string>loginwindow:success</string>
=
<string>aklog:athena.mit.edu,privileged</string>
=
<string>HomeDirMechanism:login,privileged</string>
<string>HomeDirMechanism:status</string>
<string>MCXMechanism:login</string>
<string>loginwindow:done</string>
</array>
</dict>
4. my /Library/Preferences/edu.mit.Kerberos looks like this (partial =
only)
[libdefaults]
default_realm =3D ATHENA.MIT.EDU
forwardable =3D TRUE
proxiable =3D TRUE
noaddresses =3D TRUE
allow_weak_crypto =3D TRUE
[realms]
ATHENA.MIT.EDU =3D {
kdc =3D kerberos.mit.edu.:88
kdc =3D kerberos-1.mit.edu.:88
kdc =3D kerberos-2.mit.edu.:88
admin_server =3D kerberos.mit.edu.
default_domain =3D mit.edu
}
[domain_realm]
.mit.edu =3D ATHENA.MIT.EDU
mit.edu =3D ATHENA.MIT.EDU
etc.
On Jun 1, 2012, at 12:01 PM, <port-darwin-request@openafs.org>
<port-darwin-request@openafs.org> wrote:
> Send port-darwin mailing list submissions to
> port-darwin@openafs.org
>=20
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.openafs.org/mailman/listinfo/port-darwin
> or, via email, send a message with subject or body 'help' to
> port-darwin-request@openafs.org
>=20
> You can reach the person managing the list at
> port-darwin-admin@openafs.org
>=20
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of port-darwin digest..."
>=20
>=20
> Today's Topics:
>=20
> 1. Re: OpenAFS 1.6.1: aklog AuthorizationPlugin
> Hangs for Local Users (Derrick Brashear)
>=20
> --__--__--
>=20
> Message: 1
> Date: Thu, 31 May 2012 12:51:47 -0400
> From: Derrick Brashear <shadow@gmail.com>
> To: "port-darwin@openafs.org" <port-darwin@openafs.org>
> Subject: Re: [OpenAFS-port-darwin] OpenAFS 1.6.1: aklog =
AuthorizationPlugin
> Hangs for Local Users
>=20
> See if the bundle in
> /afs/your-file-system.com/usr/shadow/aklog.zip works better for you.
>=20
> Notes: in 10.7.2 and later you need to modify /etc/pam.d/authorization
> instead of
> setting builtin:krb5authnoverify,privileged; you probably want to add
> the default_principal option to
> the pam_krb5 module.
>=20
> In that vein it may be possible to use pam_aklog in the authorization
> stack tho I have not tried this
> yet.
>=20
> Also, *some* systems were not setting kDS1AttrUniqueID and
> kDS1AttrPrimaryGroup, only uid and gid.
> Others didn't set uid and gid, only the other 2. So, this will try to
> work around that.
>=20
> I'll push the patch to gerrit in a bit.
>=20
> On Wed, May 30, 2012 at 3:45 PM, Derrick Brashear <shadow@gmail.com> =
wrote:
>> "Oh."
>>=20
>> Yeah, it sounds pretty much exactly like this:
>> http://lists.apple.com/archives/apple-cdsa/2007/Jul/msg00001.html
>>=20
>> Lemme see if returning Undefined works or if I have to return =
UserCancelled.
>>=20
>> And in answer to Jim, the presentation in question is at
>> /afs/your-file-system.com/user/shadow/MacOSTokensAtLogin-Lion.pdf
>>=20
>> On Sat, May 26, 2012 at 2:30 PM, Derrick Brashear <shadow@gmail.com> =
wrote:
>>> I never tested with root. I'll try some other local user on my vm =
and see what I can find.
>>>=20
>>> Derrick
>>>=20
>>>=20
>>> On May 26, 2012, at 11:21, Duncan S Kincaid <dsk@mit.edu> wrote:
>>>=20
>>>> We are attempting to use the aklog AuthorizationPlugin provided in =
OpenAFS 1.6.1 for MacOS 10.7.
>>>> (Following the directions kindly provided by Derrick Brashear in =
"MacOS: Tokens at Login, A Tortured History").
>>>>=20
>>>> All appears to work fine for all network users.
>>>> However 'root' and any other local users cannot login.
>>>> Specifically, after entering credentials in login window,
>>>> the interminable spinning gear ensues.
>>>>=20
>>>> The console reads:
>>>> com.apple.authorizationhost.xxx: aklog: Couldn't determine realm of =
user:aklog:
>>>> com.apple.authorizationhost.xxx: unknown RPC error (-1765328189) =
while getting realm
>>>>=20
>>>> Local logins are restored once removing authPlugin reference in =
/etc/authorization.
>>>> (Not a solution, obviously).
>>>>=20
>>>> With thanks for any help/insights.
>>>>=20
>>>> dk
>>>>=20
>>>> =
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||=
|||||||
>>>> duncan kincaid
>>>> cron | mit school of architecture and planning
>>>>=20
>>>>=20
>>>>=20
>>>>=20
>>> _______________________________________________
>>> port-darwin mailing list
>>> port-darwin@openafs.org
>>> https://lists.openafs.org/mailman/listinfo/port-darwin
>>=20
>>=20
>>=20
>> --
>> Derrick
>=20
>=20
>=20
> --=20
> Derrick
>=20
>=20
> --__--__--
>=20
> _______________________________________________
> port-darwin mailing list
> port-darwin@openafs.org
> https://lists.openafs.org/mailman/listinfo/port-darwin
>=20
>=20
> End of port-darwin Digest
=
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||=
|||||||
duncan kincaid
cron | mit school of architecture and planning
--Apple-Mail-7--100182429
Content-Disposition: attachment; filename="smime.p7s"
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIDOzCCAzcw
ggKgoAMCAQICEFjj2TdkiNlbe52rM4gAfTowDQYJKoZIhvcNAQEFBQAwbDELMAkGA1UEBhMCVVMx
FjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxLjAsBgNVBAoTJU1hc3NhY2h1c2V0dHMgSW5zdGl0dXRl
IG9mIFRlY2hub2xvZ3kxFTATBgNVBAsTDENsaWVudCBDQSB2MTAeFw0xMTA3MzExMzAxMTVaFw0x
MjA3MzExMzAxMTVaMIGjMQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czEuMCwG
A1UEChMlTWFzc2FjaHVzZXR0cyBJbnN0aXR1dGUgb2YgVGVjaG5vbG9neTEVMBMGA1UECxMMQ2xp
ZW50IENBIHYxMRkwFwYDVQQDExBEdW5jYW4gUyBLaW5jYWlkMRowGAYJKoZIhvcNAQkBFgtkc2tA
TUlULkVEVTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEApo+T7gVsGtZunTev59LAKvGTLPr2
u/TEqJe8mgne+RnYeAKakwbLSxAScgy7s/COZ5hS4dMbABvNePBgHP6H89T8+AhXlpwzi973TyQZ
1r8neWR+apLPrJFdpbx6nbuBUd+hXaGu4OrkDLKPDS5YIXCZOa6u2SH7ACXe1gkfo7MCAwEAAaOB
oTCBnjAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDBAYI
KwYBBQUHAwIwCwYDVR0PBAQDAgXgMB0GA1UdDgQWBBQv3WEPxE4Pg7BO2VGm6o71Pf1xezAzBgNV
HR8ELDAqMCigJqAkhiJodHRwOi8vY2EubWl0LmVkdS9jYS9taXRjbGllbnQuY3JsMA0GCSqGSIb3
DQEBBQUAA4GBAKyaOu2fV0mDzhNg2e8zC19p/WaNypNngBd0uehFCXjiMievHoLFTrD3ArhLHvfS
N+o3ZWBQoOJ4L1tIgNFy2TQVafDvw/2JJPo4ox62hh4x3IBn56py1cBGCbHu7tTLxohW55zUvj+G
i8jx2x+D2IsS2xziSJiLw1087udW9P9vMYICsjCCAq4CAQEwgYAwbDELMAkGA1UEBhMCVVMxFjAU
BgNVBAgTDU1hc3NhY2h1c2V0dHMxLjAsBgNVBAoTJU1hc3NhY2h1c2V0dHMgSW5zdGl0dXRlIG9m
IFRlY2hub2xvZ3kxFTATBgNVBAsTDENsaWVudCBDQSB2MQIQWOPZN2SI2Vt7nasziAB9OjAJBgUr
DgMCGgUAoIIBhzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xMjA2
MDYxMjA0MzBaMCMGCSqGSIb3DQEJBDEWBBTjaXh3ExRqj+VMEfzmqljV3l18XjCBkQYJKwYBBAGC
NxAEMYGDMIGAMGwxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNldHRzMS4wLAYDVQQK
EyVNYXNzYWNodXNldHRzIEluc3RpdHV0ZSBvZiBUZWNobm9sb2d5MRUwEwYDVQQLEwxDbGllbnQg
Q0EgdjECEFjj2TdkiNlbe52rM4gAfTowgZMGCyqGSIb3DQEJEAILMYGDoIGAMGwxCzAJBgNVBAYT
AlVTMRYwFAYDVQQIEw1NYXNzYWNodXNldHRzMS4wLAYDVQQKEyVNYXNzYWNodXNldHRzIEluc3Rp
dHV0ZSBvZiBUZWNobm9sb2d5MRUwEwYDVQQLEwxDbGllbnQgQ0EgdjECEFjj2TdkiNlbe52rM4gA
fTowDQYJKoZIhvcNAQEBBQAEgYByTfuo9tu/M0hQQ+3pV68tsrSkhoR/1kj+G4VJtlmel3PTmpO9
Tt7VSHbkjeY4wAV7jdTIxvXUlKn6LDNxu3Abs7Dno5hn3MMqByn4zwtNHK7RImjhyKZmXfr899nc
XJEj5nhpiBepkJ7T+XGJlDG1N/+2uZLhLUlY81XLyz3bEgAAAAAAAA==
--Apple-Mail-7--100182429--