Most likely.
I wrote a loginLogout plugin myself that did nothing but syslog()
it's inputs. It crashes a large fraction of the time. I filed a bug
on it.
I got here as well rebuilding universal the KLL plug-in we have.
Also I just got off the phone with an Apple DTS rep and he confirmed
that it's broken (and that Apple and MIT are aware of the problem).
Some kind of change in the environment it operates in.
Is this true for 10.3.6 as well?
Some other tidbits to pass on:
The "builtin:krb5login" mechanism for /etc/authorization is broken in
the same way that the example kerberos:login authorization services
plugin is broken. (Look in /Developer/Examples/Security/
kerberosAuthplugin.) I can provide the 5-line fix to anyone who
wants it. It would be easy to add a call to an aklog()/krb5_afslog()
routine in that plug-in to get AFS tokens on login (but the
loginLogout plug-in is the right solution).
So I would be interested in the fix. Not sure I understand what you are
saying... we can all get kerberos tickets on login by editing
/etc/authorization so the binary shipping with 10.4.x is clearly not
broken for kerberos at least for builtin:krb5authnoverify,privileged...
might be for loading KLL plug-ins so are you saying the example is
broken and the fix is for the example?
Is this example the actual code for the plug-in Apple ships?
It *should* be possible to set an authentication_authority value of
";Kerberosv5;" with Active Directory or LDAPv3 and get kerberos
tickets on login. However a few little bits of context information
aren't set so it doesn't work. It would be easy to insert another
plug-in mechanism to bridge the gap, once Apple tells me what context
bits are needed.
So I am thinking that in terms of overriding ldapv3 this is:
#;Kerberosv5;;$uid$;MY.REALM.DOM
(see:http://clc.its.psu.edu/Labs/Mac/resources/authdoc/ldapauthorization.aspx)
Or am I missing what you are asking?
I assume neither of these would be of interest for 1.4.1. After that
I sincerely hope that Apple will fix the loginLogout plugin interface
and at least the first one will be moot.
Am I the only one working the Authorization Services angle?
I would be very interested in this for 1.4.1 and it seems that at least
the folks who wrote kerberos plug-in think the Authorization Services is
the right angle to work on
(https://lists.openafs.org/pipermail/openafs-devel/2006-March/013644.html)
so I am looking to follow since this like the most survivable way as we
go to leopard and get tokens in a security session that makes afs homes
and a functioning finder possible.
On another note I have been able to build universal a contextual menu
plug-in which works with 1.4.1 for some fs examine, fs la/sa, and pts
mem type functions. This is based on some code from the MacLeland
project at Stanford back when Alexei Kosut was working on the project.
I have been using it with 10.3 and openafs 1.2.11/13 for about 2 years
by permission. This is one of the functions I think was asked for
earlier in this discussion. Does anyone know if the license has changed
on the MacLeland work or if we could get this code out so folks could
use it?
I would not be comfortable releasing it based on what I know now so
please don't ask.
--
Everette Gray Allen Systems Programmer II
ITD Computing Services Macintosh Support Specialist
2620 Hillsborough St, Campus Box 7109
Raleigh, NC 27695-7109 AIM: EveretteAlln
919-515-4558 [EMAIL PROTECTED]
_______________________________________________
OpenAFS-devel mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-devel
