[OpenAFS-port-darwin] Re: OpenAFS 1.6.1: aklog
AuthorizationPlugin Hangs for Local Users
Duncan S Kincaid
dsk@MIT.EDU
Thu, 7 Jun 2012 14:28:22 +0000
--Apple-Mail-2--5151628
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=us-ascii
no crash log generated.
only related stuff i could find was in system log (below).
for many years we had been using LoginHook for aklog
without issue whatsoever. only with lion have we seen
the odd behaviour described below (10-15% of time
aklog cannot find ccache). do hope to get the aklog.bundle
trick going to see if any improvement.
thanks!
dk
On Jun 6, 2012, at 8:49 AM, Derrick Brashear wrote:
> On Wed, Jun 6, 2012 at 8:04 AM, Duncan S Kincaid <dsk@mit.edu> wrote:
>> derrick, thank you for looking into this.
>>=20
>> your latest aklog bundle crashes loginwindow seconds after =
credentials are entered,
>> this is true for both local and remote users under OS X 10.7.4.
>>=20
>> from system log (following attempt by remote user 'crntest'):
>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
>> Jun 6 07:12:23 dsk SecurityAgent[612]: User info context values set =
for crntest
>> Jun 6 07:12:23 dsk SecurityAgent[612]: Login Window login proceeding
>> Jun 6 07:12:23 dsk =
com.apple.authorizationhost.00000000-0000-0000-0000-0000000186B3[615]: =
aklog: Couldn't get athena.mit.edu AFS tickets:
>> Jun 6 07:12:23 dsk =
com.apple.authorizationhost.00000000-0000-0000-0000-0000000186B3[615]: =
aklog:
>> Jun 6 07:12:23 dsk =
com.apple.authorizationhost.00000000-0000-0000-0000-0000000186B3[615]: =
unknown RPC error (-1765328243) while getting AFS tickets
>> Jun 6 07:12:23 dsk loginwindow[603]: Login Window - Returned from =
Security Agent
>> Jun 6 07:12:24 dsk loginwindow[603]: AuthorizationRef doesn't have a =
username (<LoginAuthRefMgr: 0x7fcdb151ed90>). Exiting.
>> Jun 6 07:12:24 dsk com.apple.loginwindow[603]: AuthorizationRef =
doesn't have a username (<LoginAuthRefMgr: 0x7fcdb151ed90>). Exiting.
>> Jun 6 07:12:24 dsk com.apple.launchd[1] (com.apple.loginwindow): =
Throttling respawn: Will start in 2 seconds
>> Jun 6 07:12:26 dsk loginwindow[617]: Login Window Application =
Started
>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
>>=20
>> the aklog bundle included in latest OpenAFS client for Lion does not =
crash loginwindow,
>> but it does leave spinning gear after entering credentials in login =
window.
>>=20
>> sanity check (as i may be doing something very stupid):
>=20
> all of your config looks correct.
> Do you get a crash log?
>=20
>> 1. my /etc/pam.d/authorization:
>> # authorization: auth account
>> auth optional pam_krb5.so use_first_pass use_kcminit =
default_principal
>> auth optional pam_ntlm.so use_first_pass
>> auth required pam_opendirectory.so use_first_pass nullok
>> account required pam_opendirectory.so
>>=20
>> 2. i can confirm (through secure.log) that i am getting tickets once =
entering credentials in login window.
>> as well, if i remove invocation of aklog.bundle (all versions) and =
use a LoginHook script for the aklog
>> all works fine (except for about 10% of the time under Lion (when =
credentials cache cannot be found?),
>> hence my interest in using aklog.bundle.)
>=20
> Jason White from Iowa State wrote up something about that issue but I
> don't have the URL immediately handy.
>=20
>> 3. my /etc/authorization looks like this:
>> <key>system.login.console</key>
>> <dict>
>> <key>class</key>
>> <string>evaluate-mechanisms</string>
>> <key>comment</key>
>> <string>Login mechanism based rule. Not for =
general use, yet.</string>
>> <key>mechanisms</key>
>> <array>
>> <string>builtin:policy-banner</string>
>> <string>loginwindow:login</string>
>> =
<string>builtin:reset-password,privileged</string>
>> =
<string>builtin:forward-login,privileged</string>
>> =
<string>builtin:auto-login,privileged</string>
>> =
<string>builtin:authenticate,privileged</string>
>> =
<string>PKINITMechanism:auth,privileged</string>
>> <string>loginwindow:success</string>
>> =
<string>aklog:athena.mit.edu,privileged</string>
>> =
<string>HomeDirMechanism:login,privileged</string>
>> =
<string>HomeDirMechanism:status</string>
>> <string>MCXMechanism:login</string>
>> <string>loginwindow:done</string>
>> </array>
>> </dict>
>> 4. my /Library/Preferences/edu.mit.Kerberos looks like this (partial =
only)
>> [libdefaults]
>> default_realm =3D ATHENA.MIT.EDU
>> forwardable =3D TRUE
>> proxiable =3D TRUE
>> noaddresses =3D TRUE
>> allow_weak_crypto =3D TRUE
>>=20
>> [realms]
>> ATHENA.MIT.EDU =3D {
>> kdc =3D kerberos.mit.edu.:88
>> kdc =3D kerberos-1.mit.edu.:88
>> kdc =3D kerberos-2.mit.edu.:88
>> admin_server =3D kerberos.mit.edu.
>> default_domain =3D mit.edu
>> }
>>=20
>> [domain_realm]
>> .mit.edu =3D ATHENA.MIT.EDU
>> mit.edu =3D ATHENA.MIT.EDU
>> etc.
>>=20
>>=20
=
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||=
|||||||
duncan kincaid
cron | mit school of architecture and planning
--Apple-Mail-2--5151628
Content-Disposition: attachment; filename="smime.p7s"
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIDOzCCAzcw
ggKgoAMCAQICEFjj2TdkiNlbe52rM4gAfTowDQYJKoZIhvcNAQEFBQAwbDELMAkGA1UEBhMCVVMx
FjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxLjAsBgNVBAoTJU1hc3NhY2h1c2V0dHMgSW5zdGl0dXRl
IG9mIFRlY2hub2xvZ3kxFTATBgNVBAsTDENsaWVudCBDQSB2MTAeFw0xMTA3MzExMzAxMTVaFw0x
MjA3MzExMzAxMTVaMIGjMQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czEuMCwG
A1UEChMlTWFzc2FjaHVzZXR0cyBJbnN0aXR1dGUgb2YgVGVjaG5vbG9neTEVMBMGA1UECxMMQ2xp
ZW50IENBIHYxMRkwFwYDVQQDExBEdW5jYW4gUyBLaW5jYWlkMRowGAYJKoZIhvcNAQkBFgtkc2tA
TUlULkVEVTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEApo+T7gVsGtZunTev59LAKvGTLPr2
u/TEqJe8mgne+RnYeAKakwbLSxAScgy7s/COZ5hS4dMbABvNePBgHP6H89T8+AhXlpwzi973TyQZ
1r8neWR+apLPrJFdpbx6nbuBUd+hXaGu4OrkDLKPDS5YIXCZOa6u2SH7ACXe1gkfo7MCAwEAAaOB
oTCBnjAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDBAYI
KwYBBQUHAwIwCwYDVR0PBAQDAgXgMB0GA1UdDgQWBBQv3WEPxE4Pg7BO2VGm6o71Pf1xezAzBgNV
HR8ELDAqMCigJqAkhiJodHRwOi8vY2EubWl0LmVkdS9jYS9taXRjbGllbnQuY3JsMA0GCSqGSIb3
DQEBBQUAA4GBAKyaOu2fV0mDzhNg2e8zC19p/WaNypNngBd0uehFCXjiMievHoLFTrD3ArhLHvfS
N+o3ZWBQoOJ4L1tIgNFy2TQVafDvw/2JJPo4ox62hh4x3IBn56py1cBGCbHu7tTLxohW55zUvj+G
i8jx2x+D2IsS2xziSJiLw1087udW9P9vMYICsjCCAq4CAQEwgYAwbDELMAkGA1UEBhMCVVMxFjAU
BgNVBAgTDU1hc3NhY2h1c2V0dHMxLjAsBgNVBAoTJU1hc3NhY2h1c2V0dHMgSW5zdGl0dXRlIG9m
IFRlY2hub2xvZ3kxFTATBgNVBAsTDENsaWVudCBDQSB2MQIQWOPZN2SI2Vt7nasziAB9OjAJBgUr
DgMCGgUAoIIBhzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xMjA2
MDcxNDI4MjFaMCMGCSqGSIb3DQEJBDEWBBRzzMotybN3ba3LgCBCWKNz8OZRxzCBkQYJKwYBBAGC
NxAEMYGDMIGAMGwxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNldHRzMS4wLAYDVQQK
EyVNYXNzYWNodXNldHRzIEluc3RpdHV0ZSBvZiBUZWNobm9sb2d5MRUwEwYDVQQLEwxDbGllbnQg
Q0EgdjECEFjj2TdkiNlbe52rM4gAfTowgZMGCyqGSIb3DQEJEAILMYGDoIGAMGwxCzAJBgNVBAYT
AlVTMRYwFAYDVQQIEw1NYXNzYWNodXNldHRzMS4wLAYDVQQKEyVNYXNzYWNodXNldHRzIEluc3Rp
dHV0ZSBvZiBUZWNobm9sb2d5MRUwEwYDVQQLEwxDbGllbnQgQ0EgdjECEFjj2TdkiNlbe52rM4gA
fTowDQYJKoZIhvcNAQEBBQAEgYAVDRgoGs5CDAb8zr/7QETgo5ashrobQuSgXdoLU+UvOPLQZjI2
oUr/O8SR8/CIcRrY1SEfU6NYWBLhghhR8uyb/kOjGMN8UH6rv6krq4RwJcXSEqgtnKHSm58nHytv
MR33SS4dqF0OzWZZuzeXcqetDXZueNrlSGn/QXdwixVdXAAAAAAAAA==
--Apple-Mail-2--5151628--