Does anyone know how to configure Kerberos with Lion?

hmolina wrote:

To activate the kerberos ticket request at login in the MacOS Lion (Server or standalone), you can modify the /etc/authorization file making the follow changes:

This does not seem to be needed anymore: Since Lion, the system login uses PAM, the PAM stack that is run on login is /etc/pam.d/authorization. In this PAM stack, there is pam_krb5 that takes care of requesting a kerberos ticket for the user.

My Kerberos server(s) are MIT kerberos. When I use "tcp/<server>", I'm unable to get tickets. When I removed the "tcp/" I was able to obtain tickets.

The big thing that did the trick for me: Removal of quotation marks from the krb5.conf file. My (old) edu.mit.Kerberos config file used things like:

proxiable = "true"

Removal of the quotation marks made all the difference.

Hi Cresh,

Yes, in theory, with PAM stack I do not have to make that changes... but in the real world the Kerberos in PAM stack is not working :-s (I test it before write this lines)

Thanks in any case about your recomendation (maybe in the future, when Apple fix all the "new features", may it works).

H.

hmolina wrote:

Yes, in theory, with PAM stack I do not have to make that changes... but in the real world the Kerberos in PAM stack is not working :-s (I test it before write this lines)

It works for me (I do test, too): pam_krb5 gets Kerberos tickets without the changes to /etc/authorization.

By the way, Apple recommends to use the PAM stack when I've tested your changes to /etc/authorization, see system.log:

authorizationhost[327]: The builtin:krb5authnoverify authorization mechanism has been deprecated. Please configure the authorization PAM stack (/etc/pam.d/authorization) as needed, and use builtin:authenticate mechanism instead.

Hi Cresh!

I do not have that message in my system.log file.

Are you using Lion Standalone or Lion Server (in my case is Lion Server).

This is amazing. I think this Lion version is not well finished.

Thanks in any case. I will try to check why my PAM configuration is not working.

Best Regards.

H.

I ran into this problem with our MIT KDC and finally fixed the issue by adding

allow_weak_crypto = true

to the libdefaults in /Library/Preferences/edu.mit.Kerberos

Credit goes to:

http://www.gurucollege.net/blog/tag/kerberos/

Also got the /etc/pam.d/authorization to cache the tgt by changing to config for pam_krb5 to:

auth optional pam_krb5.so use_first_pass use_kcminit default_principal

Cache is made in something like API:503:11 but I can't get the KRB5CCNAME set by pam_sm_setcred()

See: man pam_krb5.

Anyone got this to work?

That finally helped to let me mount nfsv3 again. I now have the same behaviour than antst above. My libdefaults-section in /etc/krb5.conf now looks like this:

[libdefaults]

default_realm = ...

default_etypes = arcfour-hmac-md5

default_etypes_des = des-cbc-md5,des-cbc-crc

default_tgs_enctypes = des-cbc-md5,des-cbc-crc

default_tkt_enctypes = des-cbc-md5,des-cbc-crc

permitted_enctypes = des-cbc-md5,des-cbc-crc

allow_weak_crypto = true

The strange thing is, I had the allow_weak_crypto = true directive in the very beginning of my tests (since we use it on ubuntu). It did not help, however, because I then did not have default_etypes and default_etypes_des set (both of which do not exist in MIT-Kerberos). The latter, however, uses default_tgs_enctypes , default_tkt_enctypes and permitted_enctypes (which are not mentioned in the man page to krb5.conf in Lion- so I removed them after my first attempts). This is the first time I have all those statements in my krb5.conf.

Thanks to efromraleigh and antst.

Apple should really update their man-pages to reflect all directives in krb5.conf. Heimdal-docs on the net are somewhat opaque either....

Can you test NFSv4 by chance?

Strange, that I don't need to use allow_weak_crypto = true , but I have OSX 10.6 OD as KDC and I guess apple made shure that new clients work with old server.

heh I was missing the <string>builtin:krb5login</string>

Now I still didn't get a ticket on login but I didn't need to enter my password browsing to smb addresses, so weird.

Anyone trying kerberos for printing?

I have done some testing against cups 1.3.3 with AuthNegotiate. Lion wants ipp v2 but will drop back to 1.1. The cups is the latest 1.5.0 and my logs on the local mac show update required talking to the 1.3.3 cups server on RedHat Linux. Waiting on my folks to update our test CUPS server for further testing.

In short, I did not get kerberized printing to work with our servers out of the box the way it did in 10.6.x

I have not tried any other servers.

To follow on I was able to get tickets and make openafs work. After a couple of reboots the KRB5CCNAME is set correctly. Also if you have multiple realms like a MIT server and active directory you can craft a edu.mit.Kerberos (krb5.conf) file that has both in it. Use klist -A to see all the cred. caches. Also note that klist -l will show a simple list of caches like:

Name Cache name Expires

* user@REALMONE.COM 501:7 Aug 3 19:30:55

user@REALMTWO.COM 501:5 Aug 3 17:36:39

The * indicates the default cache.

Also kswitch -p $USER@REALMTWO.COM works to change the default on the fly incase folks are scripting.

regarding NFS4 and kerberos, it doesn't work at the moment. I filled bugreport and apple confirms this as known issue. I hope in 10.7.1 they'll fix it.

bernerus wrote:

Anyone trying kerberos for printing?

Yes. Me.

I use the LPRng "lpr" command in our printing system.

I have managed to figure out how to build LPRng under 10.6 in such a way that it

works under 10.5 Intel/ppc, 10.6 Intel, and 10.7. However, under 10.7 it works

only if I disable Kerberos encryption of the print job data, and do not use

cross-realm authentication. The former doesn't bother me much. The second is

seriously annoying.