[OpenAFS] Mac OS X, AFS, and integrate
Sergio Gelato
Sergio.Gelato@astro.su.se
Wed, 8 Sep 2004 17:37:33 +0200
* pll+afs@permabit.com [2004-09-08 10:41:49 -0400]:
> In a message dated: Mon, 30 Aug 2004 19:24:40 +0200
> Sergio Gelato said:
>
> >To use, install under /Library/Kerberos\ Plug-Ins/aklog.loginLogout
> >and add a line
> >[libdefaults]login_logout_notification = "aklog"
> >to /Library/Preferences/edu.mit.Kerberos .
> >
> >s/aklog/afslog/ according to taste.
> >
> >Works with Mac OS 10.2 and 10.3; hopefully also with 10.4.
>
> Okay, I have this working, the interesting thing though, is that I
> get krb4 afs tickets, not krb5. Is there a way to specify that it
> should be getting me krb5 afs tickets instead, as is the norm when I
> run aklog manually?
Thanks. You've just reminded me why I was looking into afslog.loginLogout
in the first place. Indeed it's the main reason I can't quite turn off
krb524d yet. Alexei Kosut's kfm_aklog.c (aka aklog.loginLogout) is K4-only.
My main complaint with (Ragnar Sundblad's) afslog.loginLogout is that it
will not let me kinit as a principal that doesn't map to my local username
(where the mapping is supplied by krb5_aname_to_localname(), so the
administrator might be able to configure it). This is in the 2002-09-12
version, maybe it has been fixed since then. It's mostly an issue when
explicitly invoking kinit, not when the plug-in is called from loginwindow.
I can probably patch the code to do what I want, just haven't gotten around
to it yet. Might be as simple as changing
if(initialuid != pwd->pw_uid)
changeuid = 1;
to
if(initialuid == 0 && pwd->pw_uid != 0)
changeuid = 1;
and rebuilding.