search

cmcMac / loginwindowtools

Automatically exported from code.google.com/p/loginwindowtools
0 stars 0 forks source link

Not working on Mac OS X 10.7.4/OpenAFS 1.6.1 #1

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago 
What steps will reproduce the problem?
1. Use Mac OS X 10.7.4
2. Setup LDAP with correct AuthenticationAuthority Record. For example 
#;Kerberosv5;;$uid$@REALM;REALM
3. Setup aklogauthplugin (README)
4. Login with Network user

What is the expected output? What do you see instead?
Expected: Login is successful. User can access the afs home directory als 
normal.
Seen: Login is successful, Kerberos Ticket is available, aklog fails during 
login. Homedirectory is not accessible.
Oct  5 11:55:20 retina authorizationhost[4480]: Plugin starting
Oct  5 11:55:20 retina authorizationhost[4480]: Plugin started
Oct  5 11:55:20 retina authorizationhost[4480]: Mechanism Aklog setting up
Oct  5 11:55:20 retina authorizationhost[4480]: Mechanism Aklog set up
Oct  5 11:55:20 retina authorizationhost[4480]: Mechanism Aklog invoking
Oct  5 11:55:20 retina authorizationhost[4480]: Running with uid: 30000 gid: 
10000 homedir: /afs/uni-paderborn.de/user/t/test
Oct  5 11:55:20 retina 
com.apple.authorizationhost.00000000-0000-0000-0000-0000000186B5[4480]: 
Credentials cache: API:30000:4
Oct  5 11:55:20 retina 
com.apple.authorizationhost.00000000-0000-0000-0000-0000000186B5[4480]:         
Principal: test@UNI-PADERBORN.DE
Oct  5 11:55:20 retina 
com.apple.authorizationhost.00000000-0000-0000-0000-0000000186B5[4480]:   
Issued    Expires    Principal
Oct  5 11:55:20 retina 
com.apple.authorizationhost.00000000-0000-0000-0000-0000000186B5[4480]: 
BASH=/bin/bash
Oct  5 11:55:20 retina 
com.apple.authorizationhost.00000000-0000-0000-0000-0000000186B5[4480]: 
BASH_ARGC=()
Oct  5 11:55:20 retina 
com.apple.authorizationhost.00000000-0000-0000-0000-0000000186B5[4480]: 
BASH_ARGV=()
Oct  5 11:55:20 retina 
com.apple.authorizationhost.00000000-0000-0000-0000-0000000186B5[4480]: 
BASH_EXECUTION_STRING=set
Oct  5 11:55:20 retina 
com.apple.authorizationhost.00000000-0000-0000-0000-0000000186B5[4480]: 
BASH_LINENO=()
Oct  5 11:55:20 retina 
com.apple.authorizationhost.00000000-0000-0000-0000-0000000186B5[4480]: 
BASH_SOURCE=()
Oct  5 11:55:20 retina 
com.apple.authorizationhost.00000000-0000-0000-0000-0000000186B5[4480]: 
BASH_VERSINFO=([0]="3" [1]="2" [2]="48" [3]="1" [4]="release" 
[5]="x86_64-apple-darwin11")
Oct  5 11:55:20 retina 
com.apple.authorizationhost.00000000-0000-0000-0000-0000000186B5[4480]: 
BASH_VERSION='3.2.48(1)-release'
Oct  5 11:55:20 retina 
com.apple.authorizationhost.00000000-0000-0000-0000-0000000186B5[4480]: 
DIRSTACK=()
Oct  5 11:55:20 retina 
com.apple.authorizationhost.00000000-0000-0000-0000-0000000186B5[4480]: 
EUID=46217
Oct  5 11:55:20 retina 
com.apple.authorizationhost.00000000-0000-0000-0000-0000000186B5[4480]: 
GROUPS=()
Oct  5 11:55:20 retina 
com.apple.authorizationhost.00000000-0000-0000-0000-0000000186B5[4480]: 
HOME=/var/root
Oct  5 11:55:20 retina 
com.apple.authorizationhost.00000000-0000-0000-0000-0000000186B5[4480]: 
HOSTNAME=testhost.uni-paderborn.de
Oct  5 11:55:20 retina 
com.apple.authorizationhost.00000000-0000-0000-0000-0000000186B5[4480]: 
HOSTTYPE=x86_64
Oct  5 11:55:20 retina 
com.apple.authorizationhost.00000000-0000-0000-0000-0000000186B5[4480]: IFS=$' 
\t\n'
Oct  5 11:55:20 retina 
com.apple.authorizationhost.00000000-0000-0000-0000-0000000186B5[4480]: 
LaunchInstanceID=00000000-0000-0000-0000-0000000186B5
Oct  5 11:55:20 retina 
com.apple.authorizationhost.00000000-0000-0000-0000-0000000186B5[4480]: 
MACHTYPE=x86_64-apple-darwin11
Oct  5 11:55:20 retina 
com.apple.authorizationhost.00000000-0000-0000-0000-0000000186B5[4480]: OPTERR=1
Oct  5 11:55:20 retina 
com.apple.authorizationhost.00000000-0000-0000-0000-0000000186B5[4480]: OPTIND=1
Oct  5 11:55:20 retina 
com.apple.authorizationhost.00000000-0000-0000-0000-0000000186B5[4480]: 
OSTYPE=darwin11
Oct  5 11:55:20 retina 
com.apple.authorizationhost.00000000-0000-0000-0000-0000000186B5[4480]: 
PATH=/usr/bin:/bin:/usr/sbin:/sbin
Oct  5 11:55:20 retina 
com.apple.authorizationhost.00000000-0000-0000-0000-0000000186B5[4480]: 
PPID=4480
Oct  5 11:55:20 retina 
com.apple.authorizationhost.00000000-0000-0000-0000-0000000186B5[4480]: PS4='+ '
Oct  5 11:55:20 retina 
com.apple.authorizationhost.00000000-0000-0000-0000-0000000186B5[4480]: PWD=/
Oct  5 11:55:20 retina 
com.apple.authorizationhost.00000000-0000-0000-0000-0000000186B5[4480]: 
SHELL=/bin/zsh
Oct  5 11:55:20 retina 
com.apple.authorizationhost.00000000-0000-0000-0000-0000000186B5[4480]: 
SHELLOPTS=braceexpand:hashall:interactive-comments
Oct  5 11:55:20 retina 
com.apple.authorizationhost.00000000-0000-0000-0000-0000000186B5[4480]: SHLVL=2
Oct  5 11:55:20 retina 
com.apple.authorizationhost.00000000-0000-0000-0000-0000000186B5[4480]: 
TERM=dumb
Oct  5 11:55:20 retina 
com.apple.authorizationhost.00000000-0000-0000-0000-0000000186B5[4480]: 
UID=46217
Oct  5 11:55:20 retina 
com.apple.authorizationhost.00000000-0000-0000-0000-0000000186B5[4480]: 
USER=root
Oct  5 11:55:20 retina 
com.apple.authorizationhost.00000000-0000-0000-0000-0000000186B5[4480]: 
_=/bin/bash
Oct  5 11:55:20 retina 
com.apple.authorizationhost.00000000-0000-0000-0000-0000000186B5[4480]: 
__LAUNCHD_FD=97
Oct  5 11:55:20 retina 
com.apple.authorizationhost.00000000-0000-0000-0000-0000000186B5[4480]: aklog: 
Couldn't get uni-paderborn.de AFS tickets:
Oct  5 11:55:20 retina 
com.apple.authorizationhost.00000000-0000-0000-0000-0000000186B5[4480]: aklog:
Oct  5 11:55:20 retina 
com.apple.authorizationhost.00000000-0000-0000-0000-0000000186B5[4480]: unknown 
RPC error (-1765328243) while getting AFS tickets
Oct  5 11:55:20 retina 
com.apple.authorizationhost.00000000-0000-0000-0000-0000000186B5[4480]: 
Authenticating to cell uni-paderborn.de (server afsdb1.uni-paderborn.de).
Oct  5 11:55:20 retina 
com.apple.authorizationhost.00000000-0000-0000-0000-0000000186B5[4480]: Trying 
to authenticate to user's realm UNI-PADERBORN.DE.
Oct  5 11:55:20 retina 
com.apple.authorizationhost.00000000-0000-0000-0000-0000000186B5[4480]: Getting 
tickets: afs/uni-paderborn.de@UNI-PADERBORN.DE
Oct  5 11:55:20 retina 
com.apple.authorizationhost.00000000-0000-0000-0000-0000000186B5[4480]: 
Kerberos error code returned by get_cred : -1765328243
Oct  5 11:55:20 retina authorizationhost[4480]: The aklog command for user 
30000 failed with a return code of: 1024
Oct  5 11:55:20 retina authorizationhost[4480]: Mechanism Aklog done invoking
Oct  5 11:55:21 retina authorizationhost[4480]: Mechanism Aklog finsishing
Oct  5 11:55:21 retina authorizationhost[4480]: Mechanism Aklog finsihed

On "https://andromeda.rutgers.edu/~sysmail/krb5_error.html" it says for 
-1765328243: KRB5_CC_NOTFOUND   Matching credential not found

What version of the product are you using? On what operating system?
Mac OS X 10.7.4, OpenAFS 1.6.1, Download version of aklogauthplugin source, 
updated to use latest mac os x base sdk

I tried the following steps to resolve the error:
inserted system("/bin/bash -c set"); to look at the environment vars, no hint
inserted system("klist"); to have a look at the kerberos ticket, shows the 
kerberos ticket correctly.
changed system("aklog"); to system("aklog -d"); (output see above)

Original issue reported on code.google.com by bkl...@googlemail.com on 5 Oct 2012 at 10:08

GoogleCodeExporter commented 8 years ago 
Same error without the "userswitching thing" (pragma mark switch user, pragma 
mark revert to the root user)  for aklog. klist still says ticket is available.

Original comment by bkl...@googlemail.com on 5 Oct 2012 at 12:53

GoogleCodeExporter commented 8 years ago 
Ok. At login time there is no kerberos principal in the keytab. (Empty key tab)
The credentials are stored in the key tab after system.login.console and before 
system.login.done 

So just put AklogAuthPlugin into system.login.done and it will work out of the 
box (on OS X 10.7).
I have left /etc/pam.d/ untouched.

Put this into the README... and close the bug.

Original comment by bkl...@googlemail.com on 5 Oct 2012 at 2:26