On Apr 5, 2006, at 3:22 AM, Ragnar Sundblad wrote:
On 5 apr 2006, at 03.17, Henry B. Hotz wrote:
Most likely.
I wrote a loginLogout plugin myself that did nothing but syslog()
it's inputs. It crashes a large fraction of the time. I filed a
bug on it.
Yeah, I discovered that (finally!). Good that you filed a bug!
ASL, Apple System Logger, a syslog replacement, works though.
Thanks for the tip.
Also I just got off the phone with an Apple DTS rep and he
confirmed that it's broken (and that Apple and MIT are aware of
the problem). Some kind of change in the environment it operates in.
Some other tidbits to pass on:
The "builtin:krb5login" mechanism for /etc/authorization is broken
in the same way that the example kerberos:login authorization
services plugin is broken. (Look in /Developer/Examples/Security/
kerberosAuthplugin.) I can provide the 5-line fix to anyone who
wants it. It would be easy to add a call to an aklog()/krb5_afslog
() routine in that plug-in to get AFS tokens on login (but the
loginLogout plug-in is the right solution).
It *should* be possible to set an authentication_authority value
of ";Kerberosv5;" with Active Directory or LDAPv3 and get kerberos
tickets on login. However a few little bits of context
information aren't set so it doesn't work. It would be easy to
insert another plug-in mechanism to bridge the gap, once Apple
tells me what context bits are needed.
I assume neither of these would be of interest for 1.4.1. After
that I sincerely hope that Apple will fix the loginLogout plugin
interface and at least the first one will be moot.
Am I the only one working the Authorization Services angle?
It depends on what you mean with that. :-)
I have now updated my plugin so that it works with Tiger, ppc and 386.
NOTE: It doesn't work with OpenAFS on Mac OS X _yet_ - that interface
obviously wasn't in the Heimdal I based it on. It works with Arla
though.
It is based on the MIT krbafs lib that is based on the Heimdal kafs
lib.
That krbafs lib hasn't been updated in a while though, so I have
updated it to mainly Heimdal 0.7.2 and some from HEAD.
The krbafs lib is fetched from MIT, patched with the updates and built
when you build the project with xcode.
As far as I can see it works fine in 10.4.6 with LoginWindow, the
screensaver,
Kerberos.app and kinit.
There are issues with Kerberos and Fast user switching (has nothing
to do
with this plugin) - don't use that for now!
Yes, I'm studying that as well. It's easy to stick something in
system.login.screensaver that works for a single user. Not so easy
to figure something that preserves all the admin override options.
My DTS rep brought up the k-of-n key, but decided there were some
issues he needed to think through before he made a recommendation.
/etc/authorization does not use a general purpose conditional
language. It's not even as flexible as PAM. Excepting k-of-n, you
have a list of top-level keys which are logically OR'ed. One key may
be evaluate-mechanisms, which runs a list of mechanisms (which may be
plug-in's). ALL mechanisms must pass (logical AND) or evaluate-
mechanisms fails. Plug-in's may deposit bits of "context"
information for subsequent mechanisms to read. There's no (easy or
supported) way to find out what context information exists from
inside a plug-in.
I haven't folded this in with Apple, yet, but if you use the "switch
user" button from the screen saver it does exercise
system.login.console, but the resulting Kerberos tickets don't get
saved for the resulting user. This is true if you are switching to
yourself, anyway.
I'd be happy if people would like to help me test and if someone could
point me to some code for how to insert tokens into the OpenAFS
MOSX 1.4.1
client.
Look for posts from Jeffrey Hutzelman and at Russ Albery's
libkopenafs thread on this list over the last couple of weeks.
The current test version, which as I said yet can't put tokens in the
OpenAFS client, can be found here:
<file:///afs/nada.kth.se/home/staff/ragge/out/test/>
<ftp://ftp.nada.kth.se/pub/home/ragge/test/>
/ragge
_______________________________________________
OpenAFS-devel mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-devel
