So, just tried the method in there, using /etc/authorization.
Seems to mostly work... always gets tokens on login (though, still
seeing that weirdness where the kerberos ticket cache doesn't seem to
always get copied back over properly... bug in Heimdal, maybe)?
Tickets do refresh on unlocking the screensaver, but tokens do not:
<key>authenticate</key>
<dict>
<key>class</key>
<string>evaluate-mechanisms</string>
<key>mechanisms</key>
<array>
<string>builtin:authenticate</string>
<string>builtin:reset-password,privileged</string>
<string>builtin:authenticate,privileged</string>
<string>builtin:krb5authnoverify,privileged</string>
<string>PKINITMechanism:auth,privileged</string>
<string>aklog:cnf.cornell.edu,privileged</string>
</array>
</dict>
On Tue, Dec 20, 2011 at 12:31:32PM -0500, Derrick Brashear wrote:
> I hear AFS workshops are awesome. You should try one sometime.
>
> /afs/your-file-system.com/user/shadow/MacOSTokensAtLogin-Lion.pdf
>
> On Tue, Dec 20, 2011 at 12:02 PM, Dave Botsch <[email protected]> wrote:
> > Is there an AFS auth plugin for Lion (presumably, something that is
> > referenced from /etc/authorization ?).
> >
> > On Tue, Dec 20, 2011 at 12:11:32AM -0500, Derrick Brashear wrote:
> >> Why pam and not an auth plugin?
> >>
> >> not that pam is necessarily a bad idea.
> >>
> >> On Mon, Dec 19, 2011 at 3:51 PM, Dave Botsch <[email protected]>
> >> wrote:
> >> > Just to clarify, at the moment, I'm not trying to make it work with ssh.
> >> > I'm working with loginwindow, which makes use of the
> >> > /etc/pam.d/authorization file .
> >> >
> >> > From my initial post, you'll see that pam-afs-session is indeed after
> >> > pam_krb5 . You'll also see that the pam-afs-session in the "session"
> >> > section never gets called (some oddity with loginwindow?).
> >> >
> >> > On Mon, Dec 19, 2011 at 12:49:42PM -0800, Russ Allbery wrote:
> >> >> Derrick Brashear <[email protected]> writes:
> >> >>
> >> >> > yeah, that's going to be the issue; the "answer" will either be that
> >> >> > afs_session needs to run after the krb5 module does whichever step
> >> >> > writes out the creds for real, or that it will have to learn how to
> >> >> > raid
> >> >> > the temp kcm cache.
> >> >>
> >> >> The setcred step in pam_krb5 should do this, and pam_afs_session is
> >> >> always
> >> >> recommended to be run after pam_krb5 in auth for this reason. Maybe Mac
> >> >> OS X's native pam_krb5 doesn't write the ticket cache out until the
> >> >> session is created? If so, one fix may be to remove pam_afs_session
> >> >> from
> >> >> the auth stack entirely (although this will break with non-interactive
> >> >> ssh).
> >> >>
> >> >> --
> >> >> Russ Allbery ([email protected])
> >> >> <http://www.eyrie.org/~eagle/>
> >> >>
> >> >
> >> > --
> >> > ********************************
> >> > David William Botsch
> >> > Programmer/Analyst
> >> > CNF Computing
> >> > [email protected]
> >> > ********************************
> >> > _______________________________________________
> >> > OpenAFS-info mailing list
> >> > [email protected]
> >> > https://lists.openafs.org/mailman/listinfo/openafs-info
> >>
> >>
> >>
> >> --
> >> Derrick
> >>
> >
> > --
> > ********************************
> > David William Botsch
> > Programmer/Analyst
> > CNF Computing
> > [email protected]
> > ********************************
> > _______________________________________________
> > OpenAFS-info mailing list
> > [email protected]
> > https://lists.openafs.org/mailman/listinfo/openafs-info
>
>
>
> --
> Derrick
>
--
********************************
David William Botsch
Programmer/Analyst
CNF Computing
[email protected]
********************************
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
