[OpenAFS] Aklog at login in MacOS 10.8

Wed, 14 Nov 2012 13:01:04 -0800

I finally figured out how to set up MacOS Mountain Lion so that all users get an automatic kinit and aklog at login, and thus can have home directories in AFS. AFSBackgrounder doesn't do the job because it has to be configured for each user, and needs access to the home directories before it gets the token.
I got Kerberos to get a usable ticket by properly configuring /Library/Preferences/edu.mit.Kerberos and modifying /etc/pam.d/authorization so that the first non-comment line looks like: 

auth       sufficient     pam_krb5.so use_first_pass default_principal


This creates a credential cache, and gives it a random name, but does not 
put that name in the environment.  So I wrote a Perl script that looks in 
/tmp for the most recent CC file for the user, puts that path into the 
environment, and runs aklog.  I put a plist file in /Library/LaunchAgents 
to run it.  The source for those is at the end of this message.



We use LDAP for authorization, set up through the directory utility. Since 
we use plain unauthenticated LDAP, we needed to disable fancy 
authentication as shown here:


http://blog.smalleycreative.com/administration/fixing-openldap-authentication-on-os-x-lion/

Hope this proves useful for others.

Steve Gaarder
System Administrator, Dept of Mathematics
Cornell University, Ithaca, NY, USA
gaar...@math.cornell.edu

---------Perl Script /usr/local/sbin/afsaklog.pl------------

#!/usr/bin/perl

$me = $ENV{'LOGNAME'};
chdir "/tmp";

$thetime = 0;
$thefile = "";
$myuid = getpwnam($me);

while (<krb5cc*>) {

($dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$size,$atime,$mtime,$ctime,$blksize,$blocks)
 = stat($_);
    if (($uid == $myuid) && ($thetime < $mtime)) {
        $thetime = $mtime;
        $thefile = $_;
    }
}
if ($thefile ne "") {
    $ENV{'KRB5CCNAME'} = "/tmp/$thefile";
    system("aklog");
}

--------/Library/LaunchAgents/edu.cornell.math.loginhook.plist--------

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" 
"http://www.apple.com/DTDs/PropertyList-1.0.dtd";>
<plist version="1.0">
<dict>
   <key>Label</key>
   <string>edu.cornell.math.loginhook</string>
   <key>Program</key>
   <string>/usr/local/sbin/afsaklog.pl</string>
   <key>RunAtLoad</key>
   <true/>
</dict>
</plist>
_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info














    











					Reply via email to