The Mac OS X Kerberos Extras package includes add-ons for the built-in Kerberos on Mac OS X 10.2 or 10.3 that allows it to work with CFM-based Kerberos using applications such as Eudora and Fetch, and makes an alias to the GUI Kerberos management application in a more convenient location. Also included is a configuration file preconfigured for MIT.
The .vct archive provided with this project shows how these components are installed by the Mac OS X Kerberos Extras installer that MIT distributes.
If you have any questions or comments, please send them to <krbdev@mit.edu> .
The minimum system required for the components installed is Mac OS X 10.2.
The .vct requires Mindvision Installer VISE 8.0.2 or later.
There are two packages: Easy Install and Install New Configuration File.
Easy Install installs the Kerberos CFM support library, places
an alias to the GUI Kerberos management application in /Applications/Utilities
(the Kerberos application ships in /System/Library/CoreServices
), and edu.mit.Kerberos
(the Kerberos configuration file), if one
doesn't exist already (see below for locations). At the end it calls a couple
of shell script external resources to set file permissions.
Install New Configuration File will force the installation
of a new Kerberos configuration file (edu.mit.Kerberos
), moving
any existing one to the Trash and putting a fresh copy in its place. Instead
of the user having to choose Custom Install to get to this package, it's set
to appear in the install pop-up directly.
The Mac OS X Kerberos Extras installer, like the KfM 4.0.3 for OS X installer,
needs to install and find files in Mac OS X directories that are not part of
VISE's standard install locations, such as the /System
locations.
So we created a set of custom install locations, which are built as an external
code resource using C in CodeWarrior. The custom locations are compiled as a
plug-in that is placed in the VISE application's folder.
Fortunately once specified in the installer archive, the custom install locations
"stick" in the installer archive and work without the plug-in being
present, so in theory you shouldn't need the plug-in. In practice and for best
results, however, you should copy the file ExternalCodeResources:KfMLocations:KfM
Locations
from the installer source distribution to the "Install
Locations" subfolder of your VISE application's folder before making any
changes to the installer.
This is basically the same external code we used for the KfM 4.0.3 for OS X installer, with a couple of additional locations. As such, many of the custom locations aren't used by the Kerberos Extras installer.
The custom install locations are:
Temporary/Old KfM Files
/System/Library/Authenticators
/System/Library/CFMSupport
/System/Library/Frameworks
/System/Library/CoreServices
/Library/Preferences
/Library/Receipts
/usr
/usr/bin
/usr/include
/usr/lib
/private/var/root/.Trash
The only two used in the Kerberos Extras installer are /System/Library/CFMSupport
and /System/Library/CoreServices .
From now on this document will refer to these locations without necessarily specifying that they are custom locations; basically any location that looks like a Unix path is a custom location.
In the table below, actual files and folders are displayed in bold, whereas action items names are displayed in italics. Each action item has a definition of what it does, and then an explanation of why it does this (except for comment "action" items).
Items are listed in the order in which they appear in the .vct. Some may be inside placeholder folders for organizational purposes, this list is equivalent to the order of items if the hierarchy was flattened.
Some of the Gestalts used are not part of the VISE default Gestalts - they are custom Gestalt checks which are included in the .vct file (you can easily create and edit the Gestalts in VISE).
Files | Install To: | Replace | Gestalts | Packages |
Message Action Item: Message OS X Too New If the installer is run on an OS whose version is Mac OS X 10.4 or greater (a check made using a custom Gestalt, based on an educated guess about what the next Mac OS version will be at a minimum), this action item displays a warning message that the Kerberos Extras are not supported on this unknown version of Mac OS X and thus the installer will not continue. Since we don't know what features of KfM future OS X versions will hold, we don't want to install these Extras which are specifically tailored to 10.2 and 10.3 on them. |
n/a | n/a | Mac OS X 10.4 or Greater | Easy Install |
Stop Action Item: Stop Mac OS X Too New If the installer is run on an OS whose version is Mac OS X 10.4 or greater (a check made using a custom Gestalt, see above), this action item brings the installation to a halt before it can begin. |
n/a | n/a | Mac OS X 10.4 or Greater | Easy Install |
Comment Action Item: --Trash Old Kerberos.app | n/a | n/a | n/a | n/a |
Move Action Item: Trash old Kerberos.app Appl Searches This removes previous versions of the Kerberos application that might be left around from KfM 4.0 if the user upgraded from Mac OS X 10.1 instead of clean-installing 10.2/10.3. |
n/a | Always (Rename Existing) | Easy Install | |
Move Action Item: Trash old Kerberos.app Util Searches This removes previous versions of the Kerberos application that might be left around from KfM 4.0 if the user upgraded from Mac OS X 10.1 instead of clean-installing 10.2/10.3. |
n/a | Always (Rename Existing) | Easy Install | |
Comment Action Item: --Delete Old Bridge Libraries |
n/a | n/a | n/a | n/a |
Delete Action Item: Delete old Kerberos.bridge Looks in This removes an out of date CFM support library (it was renamed for Mac OS X 10.2). The old bridge libraries will never be useful on 10.2 or later, so we just get rid of them. |
n/a | n/a | Easy Install | |
Delete Action Item: Delete Kerberos Support.bridge Looks in This removes an out of date CFM support library (it was renamed and combined into one file for Mac OS X 10.2 and later). The old bridge libraries will never be useful on 10.2 or later, so we just get rid of them. |
n/a | n/a | Easy Install | |
Comment Action Item: --Install CFM support library | n/a | n/a | n/a | n/a |
Kerberos | /System/Library/CFMSupport , System Domain | Always | Easy Install | |
Comment Action Item:--Make alias to Kerberos.app | n/a | n/a | n/a | n/a |
Alias Action Item: Alias Kerberos.app to /Appl/Uti Places an alias to Kerberos.app, the GUI Kerberos management application
in |
n/a | Always | Easy Install | |
Comment Action Item:--Install simple config file | n/a | n/a | n/a | n/a |
edu.mit.Kerberos Don't replace existing configuration files which are probably valid. |
Preferences Folder, Local Domain | Never | Easy Install | |
Comment Action Item:--Install New Config File | n/a | n/a | n/a | n/a |
Message Action Item: Config Replace Warning Warns the user that choosing to install this package will replace their existing configuration file and lose any modifications they've made, do they want to proceed? |
n/a | n/a | Install New Config File | |
Move Action Item:Trash edu.mit.Kerberos Searches This is a simple backup if the user suddenly decided they didn't want to do this even after the dialog made sure. |
n/a | Always (Rename Existing) | Install New Config File | |
edu.mit.Kerberos (VISE shadow item) Needed another pointer to this file, even though it's installed in the same place as the one above, because in the "Install New Config File" package it's set to always replace instead of never replace. |
Preferences Folder, Local Domain | Always | Install New Config File | |
Require OS X Authentication (Attributes tab of "Installer Settings") - Since the installer installs (and deletes) files in directories owned by root, the installer must have administrator access. This option is checked so that the installer will prompt for an administrator password when it starts up. The install will not continue if a password isn't entered. The installer would fail when attempting to install some files if this option was unchecked.
The
edu.mit.Kerberos
configuration file may be found in two locations on a Mac OS X volume, the system configuration in/Library/Preferences
and the user configuration in/User/userid/Library/Preferences
. The MIT installer installs theedu.mit.Kerberos
file in the system location so that it is accessible by all users of a Mac OS X machine, and you should do the same. See the Kerberos Preferences on Mac OS X Documentation for a full explanation.
VISE allows you to put UNIX shell scripts in resources so that can then be called by your installer to do specialized tasks. The Mac OS X Kerberos Extras installer calls a couple of these at the end of the install to set file permissions and owners correctly. (VISE allows you to set file's permissions and group, but not owner, and only allows you to do this for files which the installer is installing, not for pre-existing files). See the VISE manual for information on how they are created; the ones used by the Kerberos Extras installer are included in the file "ChangePermissions.rsrc" in the "External Code Resources" folder. The shell scripts are simply text stored as a resource, you should be able to read and edit them (although editing should not be necessary) using ResEdit or Resource.
These shell scripts have absolute paths in them to refer to the files in question.
They are called at the end of the installer by setting the External Codes:After Install settings in the "Extras" section of the "Installer Settings."
It is important that your installer call these shell scripts, otherwise it may compromise the security of the system the software is installed on.
Chown CFM Support Library
Changes the Kerberos CFM support library to have: owner root, group wheel, permissions u=rwx g=rx o=rx. This is consistent with other system-level software.
Chown edu.mit.Kerberos
Changes the edu.mit.Kerberos configuration file to have: owner (user who is installing), group admin, permissions u=rw g=rw o=r . This will also fix up the permissions on any existing edu.mit.Kerberos file.
Questions or comments? Send mail to macdev@mit.edu
Last updated on $Date: 2003/09/10 19:17:12 $
Last modified by $Author: smcguire $