[OpenAFS-port-darwin] Re: OpenAFS 1.6.1: aklog AuthorizationPlugin Hangs for Local Users

Derrick Brashear shadow@gmail.com
Wed, 6 Jun 2012 08:49:37 -0400 

On Wed, Jun 6, 2012 at 8:04 AM, Duncan S Kincaid <dsk@mit.edu> wrote:
> derrick, thank you for looking into this.
>
> your latest aklog bundle crashes loginwindow seconds after credentials ar=
e entered,
> this is true for both local and remote users under OS X 10.7.4.
>
> from system log (following attempt by remote user 'crntest'):
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> Jun =A06 07:12:23 dsk SecurityAgent[612]: User info context values set fo=
r crntest
> Jun =A06 07:12:23 dsk SecurityAgent[612]: Login Window login proceeding
> Jun =A06 07:12:23 dsk com.apple.authorizationhost.00000000-0000-0000-0000=
-0000000186B3[615]: aklog: Couldn't get athena.mit.edu AFS tickets:
> Jun =A06 07:12:23 dsk com.apple.authorizationhost.00000000-0000-0000-0000=
-0000000186B3[615]: aklog:
> Jun =A06 07:12:23 dsk com.apple.authorizationhost.00000000-0000-0000-0000=
-0000000186B3[615]: unknown RPC error (-1765328243) while getting AFS ticke=
ts
> Jun =A06 07:12:23 dsk loginwindow[603]: Login Window - Returned from Secu=
rity Agent
> Jun =A06 07:12:24 dsk loginwindow[603]: AuthorizationRef doesn't have a u=
sername (<LoginAuthRefMgr: 0x7fcdb151ed90>). Exiting.
> Jun =A06 07:12:24 dsk com.apple.loginwindow[603]: AuthorizationRef doesn'=
t have a username (<LoginAuthRefMgr: 0x7fcdb151ed90>). Exiting.
> Jun =A06 07:12:24 dsk com.apple.launchd[1] (com.apple.loginwindow): Throt=
tling respawn: Will start in 2 seconds
> Jun =A06 07:12:26 dsk loginwindow[617]: Login Window Application Started
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
>
> the aklog bundle included in latest OpenAFS client for Lion does not cras=
h loginwindow,
> but it does leave spinning gear after entering credentials in login windo=
w.
>
> sanity check (as i may be doing something very stupid):

all of your config looks correct.
Do you get a crash log?

> 1. my /etc/pam.d/authorization:
> # authorization: auth account
> auth =A0 =A0 =A0 optional =A0 =A0 =A0 pam_krb5.so use_first_pass use_kcmi=
nit default_principal
> auth =A0 =A0 =A0 optional =A0 =A0 =A0 pam_ntlm.so use_first_pass
> auth =A0 =A0 =A0 required =A0 =A0 =A0 pam_opendirectory.so use_first_pass=
 nullok
> account =A0 =A0required =A0 =A0 =A0 pam_opendirectory.so
>
> 2. i can confirm (through secure.log) that i am getting tickets once ente=
ring credentials in login window.
> as well, if i remove invocation of aklog.bundle (all versions) and use a =
LoginHook script for the aklog
> all works fine (except for about 10% of the time under Lion (when credent=
ials cache cannot be found?),
> hence my interest in using aklog.bundle.)

Jason White from Iowa State wrote up something about that issue but I
don't have the URL immediately handy.

> 3. my /etc/authorization looks like this:
> <key>system.login.console</key>
> =A0 =A0 =A0 =A0<dict>
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0<key>class</key>
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0<string>evaluate-mechanism=
s</string>
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0<key>comment</key>
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0<string>Login mechanism ba=
sed rule. =A0Not for general use, yet.</string>
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0<key>mechanisms</key>
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0<array>
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0<string>bu=
iltin:policy-banner</string>
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0<string>lo=
ginwindow:login</string>
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0<string>bu=
iltin:reset-password,privileged</string>
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0<string>bu=
iltin:forward-login,privileged</string>
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0<string>bu=
iltin:auto-login,privileged</string>
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0<string>bu=
iltin:authenticate,privileged</string>
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0<string>PK=
INITMechanism:auth,privileged</string>
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0<string>lo=
ginwindow:success</string>
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0<string>ak=
log:athena.mit.edu,privileged</string>
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0<string>Ho=
meDirMechanism:login,privileged</string>
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0<string>Ho=
meDirMechanism:status</string>
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0<string>MC=
XMechanism:login</string>
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0<string>lo=
ginwindow:done</string>
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0</array>
> =A0 =A0 =A0 =A0</dict>
> 4. my /Library/Preferences/edu.mit.Kerberos looks like this (partial only=
)
> [libdefaults]
> =A0 =A0 =A0 =A0default_realm =3D ATHENA.MIT.EDU
> =A0 =A0 =A0 =A0forwardable =3D TRUE
> =A0 =A0 =A0 =A0proxiable =3D TRUE
> =A0 =A0 =A0 =A0noaddresses =3D TRUE
> =A0 =A0 =A0 =A0allow_weak_crypto =3D TRUE
>
> [realms]
> =A0 =A0 =A0 =A0ATHENA.MIT.EDU =3D {
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0kdc =3D kerberos.mit.edu.:88
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0kdc =3D kerberos-1.mit.edu.:88
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0kdc =3D kerberos-2.mit.edu.:88
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0admin_server =3D kerberos.mit.edu.
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0default_domain =3D mit.edu
> =A0 =A0 =A0 =A0}
>
> [domain_realm]
> =A0 =A0 =A0 =A0.mit.edu =3D ATHENA.MIT.EDU
> =A0 =A0 =A0 =A0mit.edu =3D ATHENA.MIT.EDU
> etc.
>
>