Most likely.
I wrote a loginLogout plugin myself that did nothing but syslog()
it's inputs. It crashes a large fraction of the time. I filed a bug
on it.
Also I just got off the phone with an Apple DTS rep and he confirmed
that it's broken (and that Apple and MIT are aware of the problem).
Some kind of change in the environment it operates in.
Some other tidbits to pass on:
The "builtin:krb5login" mechanism for /etc/authorization is broken in
the same way that the example kerberos:login authorization services
plugin is broken. (Look in /Developer/Examples/Security/
kerberosAuthplugin.) I can provide the 5-line fix to anyone who
wants it. It would be easy to add a call to an aklog()/krb5_afslog()
routine in that plug-in to get AFS tokens on login (but the
loginLogout plug-in is the right solution).
It *should* be possible to set an authentication_authority value of
";Kerberosv5;" with Active Directory or LDAPv3 and get kerberos
tickets on login. However a few little bits of context information
aren't set so it doesn't work. It would be easy to insert another
plug-in mechanism to bridge the gap, once Apple tells me what context
bits are needed.
I assume neither of these would be of interest for 1.4.1. After that
I sincerely hope that Apple will fix the loginLogout plugin interface
and at least the first one will be moot.
Am I the only one working the Authorization Services angle?
On Mar 31, 2006, at 9:01 AM, [EMAIL PROTECTED] wrote:
Cc: Jeffrey Altman <[EMAIL PROTECTED]>
From: Ragnar Sundblad <[EMAIL PROTECTED]>
Date: Fri, 31 Mar 2006 00:43:25 +0200
To: [email protected]
Subject: [OpenAFS-devel] aklog on MacOS X was Re: Service Ticket
Questions
On Wed, 22 Mar 2006 09:34:39 -0500, Jeffrey Altman <[EMAIL PROTECTED]
endpoints.com> wrote:
...
Today in order to minimize the interactions with end users, we desire
the ability to utilize single sign-on and automatic credential
renewal
via the Kerberos Login Library plug-in. (Unfortunately, this is not
working quite right on Tiger.)
...
Oh, what is it with the KLL API that doesn't work on tiger?
I am working on updating my old afslog.loginLogout that is based on
the
MIT krbafs lib (<http://web.mit.edu/openafs/krbafs/>), which in
turn is
based on heimdal's kafs lib anno ~2000-2001 broken out in a
portable way
(portable meaning that it works with both MIT-krb and Heimdal and
OpenAFS and Arla on most platforms).
I think I have managed to update the krbafs lib to match ~heimdal
0.7.2++
kafs, and the loginLogout works for getting tokens when ran from the
command
line with kinit.
I still see KerberosAgent crashes in the log files though, even when
it works otherwise.
It doesn't work when I use it from LoginWindow though, it crashes
LoginWindow
(actually it crashes authorizationhost, but LoginWindow exits) so I
get to
the getty login. The funny thing is that even if I comment out
the call to the kerberos stuff, meaning that the plugin is just a big
noop,
it still crashes. This is how far I have gotten on this until this
afternoon.
Is this what you meant above?
See top.
If so, I should file a bug to apple instead of trying to understand
what
I am doing wrong.
/ragge
------------------------------------------------------------------------
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
[EMAIL PROTECTED], or [EMAIL PROTECTED]
_______________________________________________
OpenAFS-devel mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-devel
