Does anyone know how to configure Kerberos with Lion?

To be frank: Kerberos is seriously FOOBAR in Lion for the moment.

Usually, requesting a ticket with the Ticket Viewer (in /System/Library/Core Services) works, but at login, no.

Oh, and as for the config files, I'm still searching for them.

Usually Apple puts them in a .plist somewhere, but they are still to be found.

Opening a terminal and issuing the command:

odutil set log debug

gives you quite extensive logging in the /var/log/opendirectoryd.log

Hi,

I have similar problem, I can not connect to my Lion server to the SSH and IMAP services using Kerberos to authenticate :-|

The server is able to mount kerberized NFS volumes, but do not accept kerberos clients :-|

Mi Lion client is able to connect to other kerberized services in other platforms (SnowLeopard, Linux, Solaris), but not Lion Server!!! Amazing.....

My KDC is a Solaris Kerberos server.

Thanks in advance for any idea.

H.

Hi!

Sincerly.. I don't do anything new. I reuse mi old /etc/krb5.conf :-|

From my Lion Client and Server I am able to use kinit to request kerberos tickets, and use them to authenticate to all my kerberized services (NFS, IMAP, HTTP, SSH, LDAP) in other servers, but it do not work with the Lion server.

I am not able to connect to my KDC with the Lion kadmin....

When I try to connect to the Lion Server, it reply the new ticket, but (i think) he is not able to recognize them :-|, so it reject the ticket.

I will try to change the /etc/authorization file to try to automatic kinit in the login process in my iMac desktop.

This is my /etc/krb5.conf

I hope this be useful for other people.

Best regards.

H.

#

#pragma ident "@(#)krb5.conf 1.2 99/07/20 SMI"

# Copyright (c) 1999, by Sun Microsystems, Inc.

# All rights reserved.

#

# krb5.conf template

# In order to complete this configuration file

# you will need to replace the __<name>__ placeholders

# with appropriate values for your network.

#

[libdefaults]

default_realm =MY_REALM

renewable = true

forwardable= true

ticket_lifetime = 20d

renew_lifetime = 1d

default_tgs_enctypes = aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5

default_tkt_enctypes = aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5

[realms]

MY_REALM = {

kdc = FQDN_MASTERKDC:88

kdc = FQDN_REPLICA1KDC:88

kdc = FQDN_REPLICA2KDC:88

kdc = FQDN_REPLICA3KDC:88

admin_server = FQDN_MASTERKDC:749

default_domain = dns_domain

}

[domain_realm]

dns_domain = MY_REALM

[appdefaults]

kinit = {

renewable = true

forwardable= true

renew_time = 24h

ticket_lifetime = 20d

}

I got it nearly working (and partly even better than in SL).

1. removed /Library/Preferences/edu.mit.Kerberos
2. created /etc/krb5.conf

The latter now seems to be considred (it was not in SL). However, the syntax changed. The differences between the former and the one I use now are the following:

[libdefaults]

default_realm = ...

default_etypes = arcfour-hmac-md5

default_etypes_des = des-cbc-md5,des-cbc-crc

KDC is an Active Directory Server 2008 R2.

ssh, imap, smtp, web works with Kerberos-authentication.

However: we restrict encryption-types in order to allow NFS with sec=krb5 on Linux-hosts. NFS worked in SL, but not in Lion anymore. The following error is reported in /var/log/system.log:

Jul 22 06:24:25 ... com.apple.netauth.user.auth[1687]: mount_nfs: can't mount /export/dat/... from ... onto /Volumes/...: Permission denied

Jul 22 06:24:41 ... gssd-agent[1689]: nfs client Kerberos...:/export/dat/..., uid=... - unknown mech-code 2529638926 for mech unknown

Checking tickets in a terminal after the attempt does not reveal any nfs-ticket!

Command was:

/sbin/mount_nfs -o resvport,sec=krb5 ...:/export/dat/... /tmp/a

Anyone an idea?

The good part is, that smb now works in the Finder (it did not for us in SL). So we could use that, but actually NFS/automounter would be nicer as it does not require passwords.

And yes, like other before me stated as well: Lion gives me the impression of a not quite ready product. The interface changes are nice, but the enterprise features are buggy and all that hiding of formerly visible directories s..... Guess we are not that far away from the point, where the terminal and X11 vanish for ever, which - to my opinion - would diminish greatly the use fullness of OSX in the edu market.

Hi Vincent,

About the problem kinit is not able to reach KDC: sometimes I had the same problem in a linux boxes in my workplace. Add a new line in the /etc/hosts file with the KDC's IP address BUT (and this is important) use the FQDN in first place:

192.168.1.1 kerberos.home.com kerberos

If you use just the hostname, does not work

About the firewall: I deactivate the firewall in the Lion Server while I finish the migration, in order to avoid any communication restriction.

Thanks in any case.

FYI:

To activate the kerberos ticket request at login in the MacOS Lion (Server or standalone), you can modify the /etc/authorization file making the follow changes:

In section system.login.done

<key>system.login.done</key>

<dict>

<key>class</key>

<string>evaluate-mechanisms</string>

<key>mechanisms</key>

<array>

<string>builtin:krb5authnoverify,privileged</string>

</array>

</dict>

changing

<array/>

for

<array>

<string>builtin:krb5authnoverify,privileged</string>

</array>

And in system.login.tty make the follow changes:

add <string>builtin:krb5login</string> in mechanisms array. The final setting looks like:

<key>system.login.tty</key>

<dict>

<key>class</key>

<string>evaluate-mechanisms</string>

<key>mechanisms</key>

<array>

<string>push_hints_to_context</string>

<string>authinternal</string>

<string>builtin:krb5login</string>

</array>

<key>tries</key>

<integer>1</integer>

</dict>

There are the same changes for SL, but was deactivated in the migration process.....

I hope this information be useful for anybody

H.

Hi,

After the upgrade to Lion, I too had difficulties in getting Kerberos working. This thread proved very helpful in tracking down and resolving the problem - many thanks for that. I thought it may be helpful to summarize what eventually worked for me.

With the switch from the MIT to Heimdal Kerberos implementation, the default connection type changed from TCP to UDP (as mentioned previously in this thread). Since my KDC (Key Districution Center) does not allow UDP connections on port 88 and 749, I was unable to request a Kerberos ticket. The kinit command simply hangs with no response and Ticket Viewer fails with "Invalid Password".

Since I do not have control over my KDC, I needed to find a way to force Heimdal to use TCP. This was achieved by prepending "tcp/" before each server name in the krb5.conf file (or edu.mit.Kerberos). Using the example from this posting, it should be as follows:

[realms]

HOME.COM = {

admin_server = tcp/kerberos.home.com:749

kdc = tcp/kerberos.home.com:88

default_domain = home.com

}

WORK.COM = {

admin_server = tcp/kerberos.corp.work.com:749

kdc = tcp/kerberos.corp.work.com:88

default_domain = work.com

}

The only other change that was required was to the default encryption types, which I set as follows:

default_etypes = arcfour-hmac-md5

default_etypes_des = des-cbc-md5,des-cbc-crc

default_tgs_enctypes = des-cbc-md5,des-cbc-crc

default_tkt_enctypes = des-cbc-md5,des-cbc-crc

permitted_enctypes = des-cbc-md5,des-cbc-crc

As for the configuration, both /etc/krb5.conf and /Library/Preferences/edu.mit.Kerberos seem to be valid, but ensure that you only have ONE present.

After this, both kinit and Ticket Viewer worked as they did under Snow Leopard (10.6).

Regards,
Dave

Guys, did you ever managed to have working kerberized NFS4 in Lion?

In my case I have no issues with kerberos, but with sec=krb5/krb5i/krb5p I can mount only NFS3 not NFS4.

And I got gss related error in the logs and "permission denied" error.

You can mount NFSv3 with Kerberos? Thats goog news and is what we could do in SL (but not in Lion any more). Could you please post your /etc/krb5.conf. Is there a /Library/Preferences/edu.mit.Kerberos? What is the exact command you use to mount using NFSv3?

Do you see any error-messages logged to /var/log/system.log (from gssd, see my previous post above).

Thanks in advance,

Peter

There is my /Library/Preferences/edu.mit.Kerberos

Important to note that I have OD server.

[libdefaults]

default_realm = my.realm

[realms]

my.realm = {

admin_server = kdc.at.my.realm

kdc = kdc.at.my.realm

kdc = secondary.kdc.at.my.realm

}

[domain_realm]

.realm = my.realm

realm = my.realm

[logging]

kdc = FILE:/var/log/krb5kdc/kdc.log

admin_server = FILE:/var/log/krb5kdc/kadmin.log

I mount NFS directories from Solaris 11 Express server.

I do mount non from root, but from mu user account. (after kinit of course)

different ways works:

mount_nfs -o vers=3,sec=krb5 nfs.server:/export/share/test /tmp/qq1

/usr/libexec/mount_url "nfs://nfs.server/export/share/test" /tmp/qq1

(mounts are exported with sec=krb5:krb5i, so mount_url also mounts it with sec=krb5/5i)

When I mount as

mount_nfs -o vers=4,sec=krb5 nfs.server:/export/share/test /tmp/qq1

then I see in the logs

7/24/11 1:55:58.000 PM kernel: nfs_gss_clnt_gssd_upcall: gssd port not valid

7/24/11 1:55:58.000 PM kernel: nfs4_setclientid failed, 13