On Apr 5, 2006, at 2:30 PM, Ragnar Sundblad wrote:
On 5 apr 2006, at 23.03, Henry B. Hotz wrote:
Yes, I'm studying that as well. It's easy to stick something in
system.login.screensaver that works for a single user. Not so
easy to figure something that preserves all the admin override
options.
What do you mean with preserving the admin override options?
I just put "builtin:krb5authnoverify,privileged" on the right
"system.login.console"
and the rule "authenticate", and that does it for my needs. I
think. Do you want
something else?
You're finding relevant places the "authinternal" mechanism is
referenced and replacing them. Not unreasonable. Have you tried
removing the one authenticate rule to see if it matters? I don't see
that rule referenced anywhere inside the file (though invisible stuff
might reference it).
I'm looking at the rights that might be relevant:
system.login.console, system.login.done, and
system.login.screensaver. The last references rule authenticate-
session-owner-or-admin, which has three (I think this is the right
grouping) ways to work: allow-root, class user/group admin, and
class user/session-owner. Ought to be able to replace session-owner
with something appropriate that also does Kerberos. Of course maybe
the right solution is to replace something lower level. I'm waiting
for Apple feedback on the subject.
I expect you understand the risks of using krb5:authnoverify. It's
great for testing though.
I haven't folded this in with Apple, yet, but if you use the
"switch user" button from the screen saver it does exercise
system.login.console, but the resulting Kerberos tickets don't get
saved for the resulting user.
It does for me, actually. This seems to work for me. I wonder what the
difference is.
This is true if you are switching to yourself, anyway.
If I select another user from the user switching menu (yes, I have the
"Show list of users" enabled, I have three user accounts on this
machine :-),
a tgt for the new user will be put in the prev user's ticket cache,
and the
principal name for that ticket cache will be set to the new user's.
This really
is broken and must be reported. If I go via selecting Login Window
in the menu,
it seems to work, so if you don't have "Show list of users" it
might work.
That's a good test and pretty revealing. Please file a bug on it!
I've been testing against our production Kerberos so far, and I only
have one user account there.
------------------------------------------------------------------------
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
[EMAIL PROTECTED], or [EMAIL PROTECTED]
_______________________________________________
OpenAFS-devel mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-devel
