Hmm... system.login.screensaver is of class rule, not of class evaluate-mechanisms like system.login.console and authenticate are... so there are no "mechanisms" in there (maybe one can still add them?)
Makes me wonder, though, why the kerberos ticket renewal still works there even though that's not specifically in the screensaver. On Tue, Dec 20, 2011 at 03:56:45PM -0500, Derrick Brashear wrote: > there's a second stanza the screensaver uses where you need to insert aklog. > > ticket cache copying i assume is apple's bug, since we don't move it about. > > On Tue, Dec 20, 2011 at 2:59 PM, Dave Botsch <[email protected]> wrote: > > So, just tried the method in there, using /etc/authorization. > > > > Seems to mostly work... always gets tokens on login (though, still > > seeing that weirdness where the kerberos ticket cache doesn't seem to > > always get copied back over properly... bug in Heimdal, maybe)? > > > > Tickets do refresh on unlocking the screensaver, but tokens do not: > > > > > > <key>authenticate</key> > > <dict> > > <key>class</key> > > <string>evaluate-mechanisms</string> > > <key>mechanisms</key> > > <array> > > <string>builtin:authenticate</string> > > <string>builtin:reset-password,privileged</string> > > <string>builtin:authenticate,privileged</string> > > <string>builtin:krb5authnoverify,privileged</string> > > <string>PKINITMechanism:auth,privileged</string> > > <string>aklog:cnf.cornell.edu,privileged</string> > > </array> > > </dict> > > > > On Tue, Dec 20, 2011 at 12:31:32PM -0500, Derrick Brashear wrote: > >> I hear AFS workshops are awesome. You should try one sometime. > >> > >> /afs/your-file-system.com/user/shadow/MacOSTokensAtLogin-Lion.pdf > >> > >> On Tue, Dec 20, 2011 at 12:02 PM, Dave Botsch <[email protected]> > >> wrote: > >> > Is there an AFS auth plugin for Lion (presumably, something that is > >> > referenced from /etc/authorization ?). > >> > > >> > On Tue, Dec 20, 2011 at 12:11:32AM -0500, Derrick Brashear wrote: > >> >> Why pam and not an auth plugin? > >> >> > >> >> not that pam is necessarily a bad idea. > >> >> > >> >> On Mon, Dec 19, 2011 at 3:51 PM, Dave Botsch <[email protected]> > >> >> wrote: > >> >> > Just to clarify, at the moment, I'm not trying to make it work with > >> >> > ssh. > >> >> > I'm working with loginwindow, which makes use of the > >> >> > /etc/pam.d/authorization file . > >> >> > > >> >> > From my initial post, you'll see that pam-afs-session is indeed after > >> >> > pam_krb5 . You'll also see that the pam-afs-session in the "session" > >> >> > section never gets called (some oddity with loginwindow?). > >> >> > > >> >> > On Mon, Dec 19, 2011 at 12:49:42PM -0800, Russ Allbery wrote: > >> >> >> Derrick Brashear <[email protected]> writes: > >> >> >> > >> >> >> > yeah, that's going to be the issue; the "answer" will either be > >> >> >> > that > >> >> >> > afs_session needs to run after the krb5 module does whichever step > >> >> >> > writes out the creds for real, or that it will have to learn how > >> >> >> > to raid > >> >> >> > the temp kcm cache. > >> >> >> > >> >> >> The setcred step in pam_krb5 should do this, and pam_afs_session is > >> >> >> always > >> >> >> recommended to be run after pam_krb5 in auth for this reason. Maybe > >> >> >> Mac > >> >> >> OS X's native pam_krb5 doesn't write the ticket cache out until the > >> >> >> session is created? If so, one fix may be to remove pam_afs_session > >> >> >> from > >> >> >> the auth stack entirely (although this will break with > >> >> >> non-interactive > >> >> >> ssh). > >> >> >> > >> >> >> -- > >> >> >> Russ Allbery ([email protected]) > >> >> >> <http://www.eyrie.org/~eagle/> > >> >> >> > >> >> > > >> >> > -- > >> >> > ******************************** > >> >> > David William Botsch > >> >> > Programmer/Analyst > >> >> > CNF Computing > >> >> > [email protected] > >> >> > ******************************** > >> >> > _______________________________________________ > >> >> > OpenAFS-info mailing list > >> >> > [email protected] > >> >> > https://lists.openafs.org/mailman/listinfo/openafs-info > >> >> > >> >> > >> >> > >> >> -- > >> >> Derrick > >> >> > >> > > >> > -- > >> > ******************************** > >> > David William Botsch > >> > Programmer/Analyst > >> > CNF Computing > >> > [email protected] > >> > ******************************** > >> > _______________________________________________ > >> > OpenAFS-info mailing list > >> > [email protected] > >> > https://lists.openafs.org/mailman/listinfo/openafs-info > >> > >> > >> > >> -- > >> Derrick > >> > > > > -- > > ******************************** > > David William Botsch > > Programmer/Analyst > > CNF Computing > > [email protected] > > ******************************** > > _______________________________________________ > > OpenAFS-info mailing list > > [email protected] > > https://lists.openafs.org/mailman/listinfo/openafs-info > > > > -- > Derrick > -- ******************************** David William Botsch Programmer/Analyst CNF Computing [email protected] ******************************** _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
