設定蘋果上的 OpenAFS 自動執行 aklog

由於要使用 OpenAFS 所以必需在 Mac 上設定成 Kerberos 認證. 但是光有 Kerberos 認證密碼還不夠. 還要取得 afs 的認可. 通常可以在 Terminal 下打 aklog 的命令. 但是當使用者登入 Mac 後, 還要要求使用者打一個指令, 使用者會跳腳. 只好努力的問 Google 大師. 慶幸的是終於有突破了. 使用者不用在敲 aklog 就可以取得 afs token.

首先, 先去下載 http://www.ibiblio.org/macsupport/kerberos/10.4/afs-login.sh 這個 script. 主要讓使用者登入後再後置執行 aklog. 在蘋果上的設定是

sudo defaults write com.apple.loginwindow LoginHook /Library/Management/afs-login.sh

編輯 /etc/ttys 檔案

vi /etc/ttys

# Look for a line that reads:
#console “/System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow” vt100 on secure window=/System/Library/CoreServices/WindowServer onoption=”/usr/libexec/getty std.9600″

# Edit this line so that it reads as follows (there are no breaks in this line):
#console “/System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow -LoginHook /Library/Management/afs-login.sh” vt100 on secure window=/System/Library/CoreServices/WindowServer onoption=”/usr/libexec/getty std.9600″

這樣就可以了 😛 這個搞好久. 終於搞定 😀

HOWTO Get AFS token (aklog) Mac OS X after Login Kerberos?

To get afs token in Linux is quite easy. But, getting afs token in Mac OS X is very painful. After you login Kerberos in Mac OS X, you have to type “aklog” command to get your AFS token when you use OpenAFS. Otherwise, you have no permission to access OpenAFS files. This problem was stuck me for while. Finally, I found the solution. I asume you already have Kerberos servers ready and your Mac could talk with Kerveros servers.

You have to download this (http://www.ibiblio.org/macsupport/kerberos/10.4/afs-login.sh) script. In my case, I modified  the script as following:

########## Begin Script ##########

#!/bin/tcsh -f
############################ afs-login.sh ##########################
# Mike Bydalek | mbydalek at contentconnections com
# Use 'defaults write com.apple.loginwindow LoginHook' to make this
# script run upon user login.
####################################################################
# very minor mods by bil hays (bil_hays at unc edu)
############

### Description ###
#
# This script runs aklog for the particular user upon logging in
# to grab AFS tokens.

### Debug/testing sanity check ###
if ( $#argv < 1 ) then
echo "No user specified!"
exit 1
endif

### Script action ###
# We just need to run aklog
/usr/bin/aklog
su $1 -c /usr/bin/aklog

### Always exit with 0 status
exit 0
########## End Script ##########

After you got the script, you could put that script whatever you like. I prefer to put the script in /Library/Management directory. We also need to tell Mac OS X to do the Login Hook. Please see the following command :
sudo defaults write com.apple.loginwindow LoginHook /Library/Management/afs-login.sh
You also need to edit /etc/ttys file in order to make Login Hook functional.
vi /etc/ttys
# Look for a line that reads: #console "/System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow" vt100 on secure window=/System/Library/CoreServices/WindowServer onoption="/usr/libexec/getty std.9600" # Edit this line so that it reads as follows (there are no breaks in this line): #console "/System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow -LoginHook /Library/Management/afs-login.sh" vt100 on secure window=/System/Library/CoreServices/WindowServer onoption="/usr/libexec/getty std.9600" You could use "klist" command to check your tokens.
$ klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: USERNAME@XXXXX.EDU.TW

Valid Starting     Expires            Service Principal
01/23/09 16:11:42  02/22/09 16:11:42  krbtgt/XXXXX.EDU.TW@XXXXX.EDU.TW
	renew until 01/23/09 16:11:42
01/23/09 16:11:43  02/22/09 16:11:42  afs@XXXXX.EDU.TW
	renew until 01/23/09 16:11:42

References :