Example of the "correct" way to get tokens for Finder on login...

Ok so looks like the windows folks are using Windows Login
Scripts as 
the OpenAFS blessed way of getting tokens on login.  So my
question is 
what is the OpenAFS blessed way of doing this on MacOS X and
can someone 
post an example that is working for them?  The equiv. to
windows is of 
course the login hook set with sudo defaults write 
/var/root/Library/Preferences/com.apple.loginwindow
LoginHook 
"/private/etc/hooks/login.hook"
except I could not get that mechanism to work with aklog
Then I follow the suggestion of using system (not user)
LaunchAgents 
from launchd and had some success there(see attached plist)
but found 
that if a user does unlog then logs out (10.4.4 at least)
they do not 
get new tokens on the next login unless a different person
has logged in 
or a reboot has happened.  Not good either.
So what is the "blessed" reliable mechanism?  I
need to use afs folders 
as home with 10.4.x on ppc and i386.
----

<?xml version="1.0"
encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD
PLIST 1.0//EN" 
"http:/
/www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>Label</key>
	<string>edu.ncstate.aklog</string>
	<key>ProgramArguments</key>
	<array>
		<string>/usr/bin/aklog</string>
		<string>-c</string>
		<string>unity.ncsu.edu</string>
		<string>-c</string>
		<string>eos.ncsu.edu</string>
		<string>-c</string>
		<string>bp.ncsu.edu</string>
	</array>
	<key>RunAtLoad</key>
	<true/>
	<key>ServiceDescription</key>
	<string>gets afs tokens for cells at
ncstate</string>
</dict>
</plist>


----
-- 
Everette Gray Allen		Systems Programmer II
ITD Computing Services	Macintosh Support Specialist
2620 Hillsborough St, Campus Box 7109
Raleigh, NC 27695-7109  AIM: EveretteAlln
919-515-4558		Everette_Allenncsu.edu
_______________________________________________
port-darwin mailing list
port-darwinopenafs.org
https://lists.openafs.org/mailman/listinfo/port-darwin

Hi Everette,

I asked around, and the best way to do this is probably to
use some  
sort of hook into loginwindow. The simplest way may be to
use PAM on  
Mac OS X. Unfortunately, I'm not sure where the
documentation for  
that would be.  Here's one possible resource:

http://weblog.big
nerdranch.com/?p=6

You might try to find someone who understands PAM., to see
if they  
can help.  We'll try to take a look, but I can't say for
sure when.

Best,
-- Ernie P.


On Mar 7, 2006, at 11:06 AM, Everette Allen wrote:

> Ok so looks like the windows folks are using Windows
Login Scripts  
> as the OpenAFS blessed way of getting tokens on login. 
So my  
> question is what is the OpenAFS blessed way of doing
this on MacOS  
> X and can someone post an example that is working for
them?  The  
> equiv. to windows is of course the login hook set with
sudo  
> defaults write
/var/root/Library/Preferences/com.apple.loginwindow  
> LoginHook "/private/etc/hooks/login.hook"
> except I could not get that mechanism to work with
aklog
> Then I follow the suggestion of using system (not user)
 
> LaunchAgents from launchd and had some success
there(see attached  
> plist) but found that if a user does unlog then logs
out (10.4.4 at  
> least) they do not get new tokens on the next login
unless a  
> different person has logged in or a reboot has
happened.  Not good  
> either.
> So what is the "blessed" reliable
mechanism?  I need to use afs  
> folders as home with 10.4.x on ppc and i386.
> ----
>
> <?xml version="1.0"
encoding="UTF-8"?>
> <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD
PLIST 1.0//EN"  
> "http:/
/www.apple.com/DTDs/PropertyList-1.0.dtd">
> <plist version="1.0">
> <dict>
> 	<key>Label</key>
> 	<string>edu.ncstate.aklog</string>
> 	<key>ProgramArguments</key>
> 	<array>
> 		<string>/usr/bin/aklog</string>
> 		<string>-c</string>
> 		<string>unity.ncsu.edu</string>
> 		<string>-c</string>
> 		<string>eos.ncsu.edu</string>
> 		<string>-c</string>
> 		<string>bp.ncsu.edu</string>
> 	</array>
> 	<key>RunAtLoad</key>
> 	<true/>
> 	<key>ServiceDescription</key>
> 	<string>gets afs tokens for cells at
ncstate</string>
> </dict>
> </plist>
>
>
> ----
> -- 
> Everette Gray Allen		Systems Programmer II
> ITD Computing Services	Macintosh Support Specialist
> 2620 Hillsborough St, Campus Box 7109
> Raleigh, NC 27695-7109  AIM: EveretteAlln
> 919-515-4558		Everette_Allenncsu.edu

_______________________________________________
port-darwin mailing list
port-darwinopenafs.org
https://lists.openafs.org/mailman/listinfo/port-darwin

Hi
	I found this page http://tec
h.ait.iastate.edu/macosx/how-to/ 
kerberized-login.shtml#10.4 which shows how to get tickets
at login,  
but it does not get tokens. The apple page
http://docs.info.apple.com/article.html?artnum=107154
has not been  
updated yet.
	I think there is a security issue relating to LDAP using
this  
modification to /etc/authorization  in 10.4 but I have not
heard  
anything about it recently.
	For OS X 10.3  I have used a kerberos plugin called  
aklog.loginLogout but it is not available for OS X 10.4 yet
that I  
know of. I have not tried to do any PAM stuff with OS X 10.4
so I am  
not sure if it will work or not.

Keith

On 9/03/2006, at 10:36 AM, Ernest Prabhakar wrote:

> Hi Everette,
>
> I asked around, and the best way to do this is probably
to use some  
> sort of hook into loginwindow. The simplest way may be
to use PAM  
> on Mac OS X. Unfortunately, I'm not sure where the
documentation  
> for that would be.  Here's one possible resource:
>
> http://weblog.big
nerdranch.com/?p=6
>
> You might try to find someone who understands PAM., to
see if they  
> can help.  We'll try to take a look, but I can't say
for sure when.
>
> Best,
> -- Ernie P.
>
>
> On Mar 7, 2006, at 11:06 AM, Everette Allen wrote:
>
>> Ok so looks like the windows folks are using
Windows Login Scripts  
>> as the OpenAFS blessed way of getting tokens on
login.  So my  
>> question is what is the OpenAFS blessed way of
doing this on MacOS  
>> X and can someone post an example that is working
for them?  The  
>> equiv. to windows is of course the login hook set
with sudo  
>> defaults write
/var/root/Library/Preferences/com.apple.loginwindow  
>> LoginHook
"/private/etc/hooks/login.hook"
>> except I could not get that mechanism to work with
aklog
>> Then I follow the suggestion of using system (not
user)  
>> LaunchAgents from launchd and had some success
there(see attached  
>> plist) but found that if a user does unlog then
logs out (10.4.4  
>> at least) they do not get new tokens on the next
login unless a  
>> different person has logged in or a reboot has
happened.  Not good  
>> either.
>> So what is the "blessed" reliable
mechanism?  I need to use afs  
>> folders as home with 10.4.x on ppc and i386.
>> ----
>>
>> <?xml version="1.0"
encoding="UTF-8"?>
>> <!DOCTYPE plist PUBLIC "-//Apple
Computer//DTD PLIST 1.0//EN"  
>> "http:/
/www.apple.com/DTDs/PropertyList-1.0.dtd">
>> <plist version="1.0">
>> <dict>
>> 	<key>Label</key>
>> 	<string>edu.ncstate.aklog</string>
>> 	<key>ProgramArguments</key>
>> 	<array>
>> 		<string>/usr/bin/aklog</string>
>> 		<string>-c</string>
>> 		<string>unity.ncsu.edu</string>
>> 		<string>-c</string>
>> 		<string>eos.ncsu.edu</string>
>> 		<string>-c</string>
>> 		<string>bp.ncsu.edu</string>
>> 	</array>
>> 	<key>RunAtLoad</key>
>> 	<true/>
>> 	<key>ServiceDescription</key>
>> 	<string>gets afs tokens for cells at
ncstate</string>
>> </dict>
>> </plist>
>>
>>
>> ----
>> -- 
>> Everette Gray Allen		Systems Programmer II
>> ITD Computing Services	Macintosh Support Specialist
>> 2620 Hillsborough St, Campus Box 7109
>> Raleigh, NC 27695-7109  AIM: EveretteAlln
>> 919-515-4558		Everette_Allenncsu.edu
>
> _______________________________________________
> port-darwin mailing list
> port-darwinopenafs.org
> https://lists.openafs.org/mailman/listinfo/port-darwin

                         
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Keith Johnston									xtn: 87977
Computer Support
Computer Science Department					Rm 395

	This email is brought to you by the letters OS X and the
number 10,4  
and 4
                         
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=


_______________________________________________
port-darwin mailing list
port-darwinopenafs.org
https://lists.openafs.org/mailman/listinfo/port-darwin

Ok folks lets **really** talk about this:

So first I am aware of Alexei Kosut's (who now works for
Apple doing 
other things) kfm_aklog kerberos plug-in, in fact with
permission from 
Stanford we took this plug-in from the MacLeland work and
modified it to 
do multi-cell authentication as we needed it (ie the equiv
of aklog 
cellone celltwo cellthree).  This plug-in basically
re-implements the 
aklog source code as plug-in to the kerberos plug-in for 
loginwindow.(whose activation in /private/etc/authorization
is still 
developer material and not updated for 10.4 to date, see 
http://docs.info.apple.com/article.html?artnum=107154).

By my count there were no less than three implementations of
a kerberos 
plug-in based on this 
API:http://
web.mit.edu/macdev/KfM/KerberosFramework/KerberosLogin/Docum
entation/LoginLogoutNotification.html.
See:
a)http://akosut.com/softwar
e/
b)https://lists.openafs.org/pipermail/port-da
rwin/2003-July/000309.html
c)https://lists.openafs.org/pipermail/port-da
rwin/2003-July/000308.html

None of these were ever rolled into the afs source tree as
"blessed" by 
the afs comunity to my knowledge nor did Apple ever say it
"blessed" or 
would continue to support this method of using
LoginLogooutNotification 
API for this function.

A member of my team asked about updating Kosut's plug-in to
V5:
http://mailman.mit.edu/pipermail/krbdev/2004-Fe
bruary/002278.html
with some feedback from Alexandra but that work never got
done AFAICT.

And what happened with this thread:
http://lists.openafs.org/pipermail/ope
nafs-devel/2005-February/011597.html
??  Looks like Ken H. killed the patches but should they be
reconsidered 
now?

Note the last time this community had this discussion via
this thread 
with no conclusive outcome:
https://lists.openafs.org/pipermail/port
-darwin/2002-October/000112.html

Also as of 10.4.x looks like some of the kerberos work,
running the 
kerberos agent per user is done with mach_init see 
/private/etc/mach_init_per_user.d/KerberosAgent.plist.
At the suggestion of some 3rd parties I have been able to
use this 
mechanism to do aklog cellone celltwo cellthree with good
results but 
this does not seem to secure tokens at logout the way
Kosut's plug-in does.

So back to the real question... the window folks have a
"blessed" by the 
openafs community and MS mechanism to acquire tokens usable
to the gui 
and the MacOS platform does not, what do we need/want and
how do we go 
about getting to this point?   Right now we have a mishmash
of cobbled 
together mechanisms which may or may not survive even minor
OS updates 
and that needs to change...

> Sly Upah wrote:
> FWIW, it execs aklog as the user so it does get tokens.
> Regards,
> Sly
> 
 > Keith Johnston wrote:
> Hi
>     I found this page 
> http://tech.ait.iastate.edu/macosx/how-to/k
erberized-login.shtml#10.4 
> which shows how to get tickets at login, but it does
not get tokens. The 
> apple page
> http://docs.info.apple.com/article.html?artnum=107154
has not been 
> updated yet.
>     I think there is a security issue relating to LDAP
using this 
> modification to /etc/authorization  in 10.4 but I have
not heard 
> anything about it recently.
>     For OS X 10.3  I have used a kerberos plugin called

> aklog.loginLogout but it is not available for OS X 10.4
yet that I know 
> of. I have not tried to do any PAM stuff with OS X 10.4
so I am not sure 
> if it will work or not.
> 
> Keith
> 
> On 9/03/2006, at 10:36 AM, Ernest Prabhakar wrote:
> 
>> Hi Everette,
>>
>> I asked around, and the best way to do this is
probably to use some 
>> sort of hook into loginwindow. The simplest way may
be to use PAM on 
>> Mac OS X. Unfortunately, I'm not sure where the
documentation for that 
>> would be.  Here's one possible resource:
>>
>> http://weblog.big
nerdranch.com/?p=6
>>
>> You might try to find someone who understands PAM.,
to see if they can 
>> help.  We'll try to take a look, but I can't say
for sure when.
>>
>> Best,
>> -- Ernie P.
>>
>>
>> On Mar 7, 2006, at 11:06 AM, Everette Allen wrote:
>>
>>> Ok so looks like the windows folks are using
Windows Login Scripts as 
>>> the OpenAFS blessed way of getting tokens on
login.  So my question 
>>> is what is the OpenAFS blessed way of doing
this on MacOS X and can 
>>> someone post an example that is working for
them?  The equiv. to 
>>> windows is of course the login hook set with
sudo defaults write 
>>>
/var/root/Library/Preferences/com.apple.loginwindow
LoginHook 
>>> "/private/etc/hooks/login.hook"
>>> except I could not get that mechanism to work
with aklog
>>> Then I follow the suggestion of using system
(not user) LaunchAgents 
>>> from launchd and had some success there(see
attached plist) but found 
>>> that if a user does unlog then logs out (10.4.4
at least) they do not 
>>> get new tokens on the next login unless a
different person has logged 
>>> in or a reboot has happened.  Not good either.
>>> So what is the "blessed" reliable
mechanism?  I need to use afs 
>>> folders as home with 10.4.x on ppc and i386.
>>> ----
>>>
>>> <?xml version="1.0"
encoding="UTF-8"?>
>>> <!DOCTYPE plist PUBLIC "-//Apple
Computer//DTD PLIST 1.0//EN" 
>>> "http:/
/www.apple.com/DTDs/PropertyList-1.0.dtd">
>>> <plist version="1.0">
>>> <dict>
>>>     <key>Label</key>
>>>    
<string>edu.ncstate.aklog</string>
>>>     <key>ProgramArguments</key>
>>>     <array>
>>>        
<string>/usr/bin/aklog</string>
>>>         <string>-c</string>
>>>        
<string>unity.ncsu.edu</string>
>>>         <string>-c</string>
>>>        
<string>eos.ncsu.edu</string>
>>>         <string>-c</string>
>>>        
<string>bp.ncsu.edu</string>
>>>     </array>
>>>     <key>RunAtLoad</key>
>>>     <true/>
>>>     <key>ServiceDescription</key>
>>>     <string>gets afs tokens for cells at
ncstate</string>
>>> </dict>
>>> </plist>
>>>
>>>
>>> ----
>>> --Everette Gray Allen        Systems Programmer
II
>>> ITD Computing Services    Macintosh Support
Specialist
>>> 2620 Hillsborough St, Campus Box 7109
>>> Raleigh, NC 27695-7109  AIM: EveretteAlln
>>> 919-515-4558        Everette_Allenncsu.edu
>>
>> _______________________________________________
>> port-darwin mailing list
>> port-darwinopenafs.org
>> https://lists.openafs.org/mailman/listinfo/port-darwin
> 
>                         
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> Keith Johnston                                    xtn:
87977
> Computer Support
> Computer Science Department                    Rm 395
> 
>     This email is brought to you by the letters OS X
and the number 10,4 
> and 4
>                         
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
> 
> 

-- 
Everette Gray Allen		Systems Programmer II
ITD Computing Services	Macintosh Support Specialist
2620 Hillsborough St, Campus Box 7109
Raleigh, NC 27695-7109  AIM: EveretteAlln
919-515-4558		Everette_Allenncsu.edu
_______________________________________________
port-darwin mailing list
port-darwinopenafs.org
https://lists.openafs.org/mailman/listinfo/port-darwin

On Thu, Mar 09, 2006 at 02:34:11PM -0500, Everette Allen
wrote:
> So first I am aware of Alexei Kosut's (who now works
for Apple doing 
> other things) kfm_aklog kerberos plug-in, in fact with
permission from 
> Stanford we took this plug-in from the MacLeland work
and modified it to 
> do multi-cell authentication as we needed it (ie the
equiv of aklog 
> cellone celltwo cellthree).  This plug-in basically
re-implements the 
> aklog source code as plug-in to the kerberos plug-in
for 
> loginwindow.(whose activation in
/private/etc/authorization is still 
> developer material and not updated for 10.4 to date,
see 
> http://docs.info.apple.com/article.html?artnum=107154).
> 
> By my count there were no less than three
implementations of a kerberos 
> plug-in based on this 
> API:http://
web.mit.edu/macdev/KfM/KerberosFramework/KerberosLogin/Docum
entation/LoginLogoutNotification.html.
> See:
> a)http://akosut.com/softwar
e/
> b)https://lists.openafs.org/pipermail/port-da
rwin/2003-July/000309.html
> c)https://lists.openafs.org/pipermail/port-da
rwin/2003-July/000308.html

I've been working on getting (c) updated for current
OpenAFS versions
and 10.4.  So far my plugin works when I kinit, but the
Kerberos 5
native version apparently crashes the process hosting it
when I try to
have it run on login.  Because of the way in which this
process runs,
I haven't been able to get a stack trace or core dump, so
debugging is
rather painful.

A recompile of the older one works, but we're trying to get
rid of
gssklog/krb524 stuff here.  For now we're using the
/etc/mach_init_per_user.d trick on our test 10.4 box, but
I'm planning
on debugging the login/logout plugin this weekend so we can
migrate
our public Macs to 10.4 in the next few weeks.

However, if anyone else has a plugin that works, I don't
need to
reinvent the wheel - no need for three pieces of software
that do the
same thing.

Somewhat related - does anyone have an /etc/authorization
file that
works for Kerberos logins, and preferably other things such
as
unlocking the screen saver, System Preferences, Finder,
etc.?  The one
I've constructed works in most places but breaks remote SSH
logins for
everyone, and it's a tedious process of trial and error to
determine
which rules need changing and how.

-- 
Nicholas Riley <njrileyuiuc.edu> | <http://www.uiu
c.edu/ph/www/njriley>
_______________________________________________
port-darwin mailing list
port-darwinopenafs.org
https://lists.openafs.org/mailman/listinfo/port-darwin