Has anyone gotten Krb5, ldap, and AFS homedirs working reliably?Yes I have had MacOS X with kerberos, openldap, and OpenAFS home dirs working for 2 full semesters here at NC State. I have had kerberos, OpenAFS Homes and some other kinds of directory service working for 2 years before that. We had hit and miss experiences with versions of the MacOS before 10.3 and openafs before 1.2.11. You might make it work on 10.2.8 but I would suggest upgrading to 10.3.2+
We've had to resort to setting up each individual users with a startup items script to run aklog.
Not sure this will really get the finder in the pag but might.
> > I've tried the 'kfm_aklog' plugin, but it doesn't seem to work, and > none of the apple login hook stuff seems to work.
We have been using a multi-cell modified version of aklog.loginLogout the entire time. We modified some code we picked up from Stanford to do multi cell "aklog" based on /var/db/openafs/etc/TheseCells.
I think plug-in is now available from: http://macosx.si.umich.edu/files/aklog_loginLogout.hqx
Our mod. is available from: http://www.ncsu.edu/mac/downloads/multicellkfmaklog.dmg.zip
A good document to read is: http://macosx.si.umich.edu/public/viewHowTo.php?HowToID=19#config
For ldap we use openldap with lots of schema but mostly inetOrg suite. Basically we follow umich on this one with very min. custom mapping in Directory Access.
Default Attribute Types are: Record Name = uid
Users are: Record Name = uid Real Name = uid //privacy precaution UniqueID = uidNumber Primary Groupid = gidNumber NFSHomeDir = homeDirectory UserShell = loginShell AuthenticationAuthority = #;basic; // also static map
This pretty much follows the Umich model from: http://www-personal.umich.edu/~jhstew/umldapv3/
Directory Access is very, very picky about doing "live configuration" changes. I have to disable ldap, hit apply, then remove the custom authorization entry, change my ldap mappings apply, add Authorization back and then make active and apply. Even with this sometimes I have to reboot to get it to take.
Also, I assume you know that you have to add
login_logout_notification= "aklog"
to the [libdefaults] section in /Library/Preferences/edu.mit.kerberos (If you have nat clients might also want to add noaddresses = true )
And I assume the kerberos is required for login in /private/etc/authorization and that your actually require kerberos for login not just get tickets as a side effect.
Our authorization file for 10.3 (which has changed from 10.2 Apple Docs) has this:
-----
<key>system.login.console</key>
<dict>
<key>class</key>
<string>evaluate-mechanisms</string>
<key>comment</key>
<string>Login mechanism based rule. Not for general use, yet.
builtin:krb5authenticate can be used to hinge local authentication on a successful kerberos authentication and kdc verification.
builtin:krb5authnoverify skips the kdc verification. Both fall back on local authentication.</string>
<key>mechanisms</key>
<array>
<string>loginwindow_builtin:login</string>
<string>builtin:krb5authnoverify</string>
<string>loginwindow_builtin:success</string>
<string>builtin:getuserinfo</string>
<string>builtin:sso</string>
</array>
</dict>
<key>system.login.done</key>
<dict>
<key>class</key>
<string>evaluate-mechanisms</string>
<key>comment</key>
<string>builtin:krb5login can be used to do kerberos authentication as a side-effect of logging in. Local username/password will be used.</string>
<key>mechanisms</key>
<array>
<string>switch_to_user</string>
<string>builtin:krb5login</string>
</array>
</dict>
-----
As for PAM in general we don't use PAM with loginwindow but for ssh we do use pamkfm from Umich.http://www.lsa.umich.edu/lsait/AdminTools/osx/software/
What is the equivalent of a linux PAM line like:
session libpam-openafs-session.so debug
This of course depends on the login plug-in working.
-- -------------------------------------------------------------------------- Troy Benjegerdes 'da hozer' [EMAIL PROTECTED]
I hope this is helpful. -- Everette Gray Allen Systems Programmer II ITD Computing Services Macintosh Support Specialist 2620 Hillsborough St, Campus Box 7109 Raleigh, NC 27695-7109 919-515-4558 [EMAIL PROTECTED]
_______________________________________________ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
