This is Mac OS X specific and slightly off topic. Still, it might be of
interest to someone. If I am doing something wrong - please let me know.
------
On 6 apr 2006, at 01.04, Henry B. Hotz wrote:
You're finding relevant places the "authinternal" mechanism is
referenced and replacing them. Not unreasonable.
IIRC, it was just the only two relevant places to do it, so we tried
and it did
what we wanted.
Have you tried removing the one authenticate rule to see if it
matters? I don't see that rule referenced anywhere inside the file
(though invisible stuff might reference it).
No, there are several implicit relationships in that file. I have filed
a bug against the non publicness of the hopefully existing
documentation.
I'm looking at the rights that might be relevant:
system.login.console, system.login.done, and
system.login.screensaver. The last references rule authenticate-
session-owner-or-admin, which has three (I think this is the right
grouping) ways to work: allow-root, class user/group admin, and
class user/session-owner. Ought to be able to replace session-
owner with something appropriate that also does Kerberos. Of
course maybe the right solution is to replace something lower
level. I'm waiting for Apple feedback on the subject.
We also wanted the small authenticate-me locks in for example the
System Preferences, the Installer and so on to work, so we want
Kerberos authentication everywhere. Therefore we just replaced the
base places which _seemed_ right.
Next step is also combining this with mobile accounts.
/ragge
_______________________________________________
OpenAFS-devel mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-devel
