there's a second stanza the screensaver uses where you need to insert aklog.
ticket cache copying i assume is apple's bug, since we don't move it about. On Tue, Dec 20, 2011 at 2:59 PM, Dave Botsch <[email protected]> wrote: > So, just tried the method in there, using /etc/authorization. > > Seems to mostly work... always gets tokens on login (though, still > seeing that weirdness where the kerberos ticket cache doesn't seem to > always get copied back over properly... bug in Heimdal, maybe)? > > Tickets do refresh on unlocking the screensaver, but tokens do not: > > > <key>authenticate</key> > <dict> > <key>class</key> > <string>evaluate-mechanisms</string> > <key>mechanisms</key> > <array> > <string>builtin:authenticate</string> > <string>builtin:reset-password,privileged</string> > <string>builtin:authenticate,privileged</string> > <string>builtin:krb5authnoverify,privileged</string> > <string>PKINITMechanism:auth,privileged</string> > <string>aklog:cnf.cornell.edu,privileged</string> > </array> > </dict> > > On Tue, Dec 20, 2011 at 12:31:32PM -0500, Derrick Brashear wrote: >> I hear AFS workshops are awesome. You should try one sometime. >> >> /afs/your-file-system.com/user/shadow/MacOSTokensAtLogin-Lion.pdf >> >> On Tue, Dec 20, 2011 at 12:02 PM, Dave Botsch <[email protected]> wrote: >> > Is there an AFS auth plugin for Lion (presumably, something that is >> > referenced from /etc/authorization ?). >> > >> > On Tue, Dec 20, 2011 at 12:11:32AM -0500, Derrick Brashear wrote: >> >> Why pam and not an auth plugin? >> >> >> >> not that pam is necessarily a bad idea. >> >> >> >> On Mon, Dec 19, 2011 at 3:51 PM, Dave Botsch <[email protected]> >> >> wrote: >> >> > Just to clarify, at the moment, I'm not trying to make it work with ssh. >> >> > I'm working with loginwindow, which makes use of the >> >> > /etc/pam.d/authorization file . >> >> > >> >> > From my initial post, you'll see that pam-afs-session is indeed after >> >> > pam_krb5 . You'll also see that the pam-afs-session in the "session" >> >> > section never gets called (some oddity with loginwindow?). >> >> > >> >> > On Mon, Dec 19, 2011 at 12:49:42PM -0800, Russ Allbery wrote: >> >> >> Derrick Brashear <[email protected]> writes: >> >> >> >> >> >> > yeah, that's going to be the issue; the "answer" will either be that >> >> >> > afs_session needs to run after the krb5 module does whichever step >> >> >> > writes out the creds for real, or that it will have to learn how to >> >> >> > raid >> >> >> > the temp kcm cache. >> >> >> >> >> >> The setcred step in pam_krb5 should do this, and pam_afs_session is >> >> >> always >> >> >> recommended to be run after pam_krb5 in auth for this reason. Maybe >> >> >> Mac >> >> >> OS X's native pam_krb5 doesn't write the ticket cache out until the >> >> >> session is created? If so, one fix may be to remove pam_afs_session >> >> >> from >> >> >> the auth stack entirely (although this will break with non-interactive >> >> >> ssh). >> >> >> >> >> >> -- >> >> >> Russ Allbery ([email protected]) >> >> >> <http://www.eyrie.org/~eagle/> >> >> >> >> >> > >> >> > -- >> >> > ******************************** >> >> > David William Botsch >> >> > Programmer/Analyst >> >> > CNF Computing >> >> > [email protected] >> >> > ******************************** >> >> > _______________________________________________ >> >> > OpenAFS-info mailing list >> >> > [email protected] >> >> > https://lists.openafs.org/mailman/listinfo/openafs-info >> >> >> >> >> >> >> >> -- >> >> Derrick >> >> >> > >> > -- >> > ******************************** >> > David William Botsch >> > Programmer/Analyst >> > CNF Computing >> > [email protected] >> > ******************************** >> > _______________________________________________ >> > OpenAFS-info mailing list >> > [email protected] >> > https://lists.openafs.org/mailman/listinfo/openafs-info >> >> >> >> -- >> Derrick >> > > -- > ******************************** > David William Botsch > Programmer/Analyst > CNF Computing > [email protected] > ******************************** > _______________________________________________ > OpenAFS-info mailing list > [email protected] > https://lists.openafs.org/mailman/listinfo/openafs-info -- Derrick _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
