[OpenAFS-port-darwin] OpenAFS 1.6.1: aklog AuthorizationPlugin Hangs for Local Users

Derrick Brashear shadow@gmail.com
Thu, 31 May 2012 12:51:47 -0400


See if the bundle in
/afs/your-file-system.com/usr/shadow/aklog.zip works better for you.

Notes: in 10.7.2 and later you need to modify /etc/pam.d/authorization
instead of
setting builtin:krb5authnoverify,privileged; you probably want to add
the default_principal option to
the pam_krb5 module.

In that vein it may be possible to use pam_aklog in the authorization
stack tho I have not tried this
yet.

Also, *some* systems were not setting kDS1AttrUniqueID and
kDS1AttrPrimaryGroup, only uid and gid.
Others didn't set uid and gid, only the other 2. So, this will try to
work around that.

I'll push the patch to gerrit in a bit.

On Wed, May 30, 2012 at 3:45 PM, Derrick Brashear <shadow@gmail.com> wrote:
> "Oh."
>
> Yeah, it sounds pretty much exactly like this:
> http://lists.apple.com/archives/apple-cdsa/2007/Jul/msg00001.html
>
> Lemme see if returning Undefined works or if I have to return UserCancelled.
>
> And in answer to Jim, the presentation in question is at
> /afs/your-file-system.com/user/shadow/MacOSTokensAtLogin-Lion.pdf
>
> On Sat, May 26, 2012 at 2:30 PM, Derrick Brashear <shadow@gmail.com> wrote:
>> I never tested with root. I'll try some other local user on my vm and see what I can find.
>>
>> Derrick
>>
>>
>> On May 26, 2012, at 11:21, Duncan S Kincaid <dsk@mit.edu> wrote:
>>
>>> We are attempting to use the aklog AuthorizationPlugin provided in OpenAFS 1.6.1 for MacOS 10.7.
>>> (Following the directions kindly provided by Derrick Brashear in "MacOS: Tokens at Login, A Tortured History").
>>>
>>> All appears to work fine for all network users.
>>> However 'root' and any other local users cannot login.
>>> Specifically, after entering credentials in login window,
>>> the interminable spinning gear ensues.
>>>
>>> The console reads:
>>> com.apple.authorizationhost.xxx: aklog: Couldn't determine realm of user:aklog:
>>> com.apple.authorizationhost.xxx: unknown RPC error (-1765328189) while getting realm
>>>
>>> Local logins are restored once removing authPlugin reference in /etc/authorization.
>>> (Not a solution, obviously).
>>>
>>> With thanks for any help/insights.
>>>
>>> dk
>>>
>>> |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
>>> duncan kincaid
>>> cron | mit school of architecture and planning
>>>
>>>
>>>
>>>
>> _______________________________________________
>> port-darwin mailing list
>> port-darwin@openafs.org
>> https://lists.openafs.org/mailman/listinfo/port-darwin
>
>
>
> --
> Derrick



-- 
Derrick