On Fri, Oct 04, 2002 at 04:17:51PM -0400, David Botsch wrote: > 1. Not pag based.
True. Others have commented (on port-darwin) about ways to possibly get around this. Personally, I'm not terribly concerned with using PAGs on Mac OS X. The cases that I care about are pretty much all one-login-at-a-time machines with seperate accounts for each "real" user, so per-uid tokens work great. > 2. kludgy - we're essentially already doing this for 10.1 . . sometimes > it works, sometimes it doesn't .. it seems to depend on which part of > the login completes first. We haven't had any problems with the login authenticatior we used for Mac OS X 10.1, nor with the Kerberos plugin approach we've been testing for 10.2. Since the Kerberos plugin gets called when the password needs to be verified (very early in the login process), and does not return control to the login process until AFS tokens are installed, I don't think it's possible for there to be timing issues. It is possible (as Ragnar has pointed out) that Mac OS X expects to be able to access the home directory as root, or in other ways that don't work with per-uid AFS tokens. But those would affect every login, and in my tests I haven't noticed any such problems with Mac OS X 10.2.1. > However, it looks like we will essentially end up doing this since > Apple has made it impossible to use the Power of Pam Given how complex the Mac OS X login system appears to be, it would not surprise me to find that even if loginwindow did support PAM, it would be in a way that would not allow PAGs to be created to use properly with AFS home directories. AFS will probably only work 100% correctly with PAGs (or something similar) on Mac OS X if Apple designs a mechanism with AFS explicitly in mind. -- Alexei Kosut <[EMAIL PROTECTED]> <http://rescomp.stanford.edu/~akosut/> _______________________________________________ OpenAFS-devel mailing list [EMAIL PROTECTED] https://lists.openafs.org/mailman/listinfo/openafs-devel
