Does anyone know how to configure Kerberos with Lion?

Is it still true that in order to use Kerberos authentication with CUPS, it's either all queues or no queues?

antst wrote:

regarding NFS4 and kerberos, it doesn't work at the moment. I filled bugreport and apple confirms this as known issue. I hope in 10.7.1 they'll fix it.

NFSv4 and Kerberos are working great for me with a Lion client and a Debian NFSv4 server/KDC running MIT Kerberos 1.9.1. You need "allow_weak_crypto = true" in your Lion client's /etc/krb5.conf and in your KDC's /etc/krb5.conf; and you must support des-cbc-crc encryption in your NFSv4 server's principal. (You can support other enctypes on the NFSv4 server principal, as well, but Snow Leopard and Lion require des-cbc-crb, as far as I know.)

Those server-side settings were needed to support NFSv4 with a Snow Leopard client, too, so those aren't new. However, the client-side weak crypto setting was not required on Snow Leopard. It makes me wonder if there's a way to make Lion use a stronger enctype for NFSv4. If so, it doesn't appear to be documented.

Are you sure it is NFSv4?

Cause NFSv3 works without any problems for me with kerberos, but not NFSv4, and when I submitted bugreport, they said it is duplicate and known issue.

I have allow_weak_crypto and des-cbc-crc in my server principals.

In Lion right now it looks as it is no kerberos authentication whatsoever.

It was possible in late Leopard patches to do tricks like setting an enviromnent variable in order to use a remote CUPS server and that way use kerberos printing using lpr -H

That broke with 10.4.0 ( and CUPS 1.4), was fixed in 10.6.4 and seems now to be broken again.

The only possible soultion seems to be to set up an SMB entry on the CUPS server and configure the clients to use windows printing,

"Me" seems to a plausible answer :-)

Kerberos printing has been quite a PITA. Probably nobody besides you ("me") and me tries to use that because it *does not work* and when it eventyally does, it gets repeatedly broken because apparently there is no testing of this within Apple.

My problem is that we have 1000's of users who pay real money for their printouts so we must have every print job securely authenticated and we cannot manage (change) the Mac clients. Arrgh!

I have a solution to the MacOS printing authentication problem. Email me at rcc2@cornell.edu if you want.

like antst I'm seeing the very same issue with nfs4 in 10.7.1.

allow_weak_crypto is set, nfs principals as well as client/server keytabs have solely des-cbc-crc keys.

linux clients work. osx won't.

@drew: are you using specific enctype settings referring to des-cbc-crc on server side?

Thanks everyone, this has been really helpful. I've just managed to get Lion working perfectly with both AD and Kerberos single-sign-on logins. Frankly, I am amazed ... after the first few hours of trial and error (mostly error) I didn't think it would ever work reliably. I''ve so far replicated my config on 2 machines, and it seems to work.

So, here's the setup:

We have an Active Directory Domain (henceforth the "Domain"), set up in a trust relationship with the Kerberos Realm (henceforth the "Realm") of the wider organisation. There are some users who exist only in the Domain, and others who exist in the Realm. For the latter, we have usernames in the Domain that mirror the Realm users, and have them mapped. (Just to make sure that's clear: there are some users in the domain that don't exist in the Realm, and then there are some users in the domain that do exist in the realm, and obviously their login credentials are managed by the realm, so they have Name Mappings on the DC to their respective Kerberos Principal names, which are identical to their AD logon names) We run 2 file servers, one - a Windows server - for the users that only exist in the Domain, and one - a Linux server - for those from the Realm. Now we wanted everybody to authenticate and use network home folders on OS X. Previously we had to make do with AdmitMac, and it created all sorts of problems but worked more or less (sometimes less; some applications expect to set file attributes that AdmitMac's smb client didn't support, so for example SPSS and EndNote gave us no end of grief). Today I was shocked to discover that I simply couldn't get things to work with Lion and AdmitMac 6, so I tried the impossible, ...

This is how it works for me:

Make sure you don't have a /Library/Preferences/edu.mit.Kerberos - just delete it if it's there.

Make sure you are NOT a member of any AD domain at this point.

Make sure the computer clock is set correctly (yes, I know ... the obvious things)

Create /etc/krb5.conf (I can't guarantee all those settings are really necessary, but it works for me at the moment):

[domain_realm]

.our.domain.within.wider.org = OUR.DOMAIN.WITHIN.WIDER.ORG

our.domain.within.wider.org = OUR.DOMAIN.WITHIN.WIDER.ORG

.wider.org = WIDER.ORG

wider.org = WIDER.ORG

[libdefaults]

default_realm = WIDER.ORG

dns_fallback = yes

rdns = no

dns_lookup_kdc = true

forwardable = true

noaddresses = true

allow_weak_crypto = true

default_etypes = arcfour-hmac-md5 des3-cbc-sha1

default_etypes_des = des3-cbc-sha1

default_tgs_enctypes = des-cbc-md5 des-cbc-crc arcfour-hmac-md5

default_tkt_enctypes = des-cbc-md5 des-cbc-crc arcfour-hmac-md5

permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 arcfour-hmac-md5

[logging]

admin_server = FILE:/var/log/krb5kdc/kadmin.log

kdc = FILE:/var/log/krb5kdc/kdc.log

[realms]

OUR.DOMAIN.WITHIN.WIDER.ORG = {

admin_server = tcp/windows_domain_controller.our.domain.within.wider.org:749

kdc = tcp/windows_domain_controller.our.domain.within.wider.org:88

kpasswd_server = tcp/windows_domain_controller.our.domain.within.wider.org:464

}

WIDER.ORG = {

kdc = kdc.wider.org:88

admin_server = kdc-admin.wider.org:749

default_domain = wider.org

}

Note that I don't know why the upstream organisation has separate kdc and kdc-admin servers ... so in your case this may be the same one ...

So far so good; the krb5.conf isn't that hard to get right; it' s only a bit complicated because of our specific set up.

BUT, here are the magic bits:

In /etc/authorization DON'T mess with the entry called <key>com.apple.KerberosAgent</key> ... but make the following changes:

in <key>system.login.console</key> the <array> entry looks like this:

<array>

<string>loginwindow:login</string>

<string>builtin:reset-password,privileged</string>

<string>builtin:forward-login,privileged</string>

<string>builtin:auto-login,privileged</string>

<string>builtin:krb5authnoverify,privileged</string>

<string>PKINITMechanism:auth,privileged</string>

<string>loginwindow:success</string>

<string>HomeDirMechanism:login,privileged</string>

<string>HomeDirMechanism:status</string>

<string>MCXMechanism:login</string>

<string>loginwindow:done</string>

</array>

find <key>authenticate</key> and make sure it's followed by:

<dict>

<key>class</key>

<string>evaluate-mechanisms</string>

<key>mechanisms</key>

<array>

<string>builtin:authenticate</string>

<string>builtin:reset-password,privileged</string>

<string>builtin:authenticate,privileged</string>

<string>builtin:krb5authnoverify,privileged</string>

<string>PKINITMechanism:auth,privileged</string>

</array>

</dict>

Finally, change the file /etc/pam.d/authorization to be

auth optional pam_krb5.so use_first_pass use_kcminit default_principal

auth optional pam_ntlm.so use_first_pass

auth required pam_opendirectory.so use_first_pass nullok

account required pam_opendirectory.so

ONLY THEN join the Active Directory domain.

Reboot. Maybe twice ...

And it works. I can log in with single-sign-on usernames from the Realm, and usernames from the domain.

Have a nice day, I am going to bed ...

:: Florian

Congratulations! I note one thing in your krb5.conf which may be a problem:

default_etypes = arcfour-hmac-md5 des3-cbc-sha1

default_etypes_des = des3-cbc-sha1

default_tgs_enctypes = des-cbc-md5 des-cbc-crc arcfour-hmac-md5

default_tkt_enctypes = des-cbc-md5 des-cbc-crc arcfour-hmac-md5

permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 arcfour-hmac-md5

We have just recently discovered that specifying default encryption types causes serious problems for Leopard and Snow Leopard (but not Lion) when you upgrade your AD domain controlers from 2008 to 2008R2. You get "KDC does not support enctype" errors when attempting to get a TGT. Apparently the MIT Kerberos client defines the word "default" differently than the Heimdal client.

MIT's docs say that AES is the encryption type to use where AD compatibility is desired.

I am not a Kerberos expert, but I have heard that there is no good reason to specify encryption types in a client configuration.

Good luck,

-Rick

Here confirming that Lion can get tickets and use kerberized nfsv3 without problems with a FreeBSD 8.2-RELEASE-p2 Heimdall KDC.

However, nfsv4 only works with "sec=sys". Attempting to mount using v4 with kerberos will output the following error:

"nfs_gss_clnt_gssd_upcall: gssd port not valid"

Has anyone solved this problem or is it just a bug?

This thread was very helpful in getting Kerberos going again in my Lion environment. Now that I can obtain tickets at login automatically, my next wish was for those tickets at login to be renewable (which they apparently aren't). He's how I approached this problem.

I made sure that my /etc/krb5.conf has renewable = true specified under libdefaults:

[libdefaults]
    renewable = true

Next I created a LaunchAgent to run once on login that calls kinit to obtain a new renewable ticket (because previous modifcations (mentioned in earlier posts to this thread) to the /etc/authorization already obtained a non-renewable ticket at login, credentials are not required to check out a completly new renewable ticket to replace the non-renewable one). By running kinit with the above modifcation to /etc/krb5.conf it will by default check out a renewable ticket (I don't know why the libdefault renewable = true entry doesn't affect the ticket checkout process at login controlled by /etc/authorization - you would think it would, but doesn't seem to). While logged in as the user you wish to obtain a renewable ticket for, create the plist ~/Libraries/LaunchAgents/com.example.Kerberos.init.plist:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>com.example.Kerberos.init</string>
    <key>ProgramArguments</key>
    <array>
        <string>/usr/bin/kinit</string>
    </array>
    <key>RunAtLoad</key>
    <true/>
</dict>
</plist>

Now that you have a renewable ticket you can do something like the following to automatically renew it while logged in. The script below is set to auto renew the ticket every 30 minutes. While logged in as the user you wish to autorenew for, create the following plist file ~/Library/LaunchAgents/com.example.Kerberos.renew.plist:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>com.example.Kerberos.renew</string>
    <key>ProgramArguments</key>
    <array>
        <string>/usr/bin/kinit</string>
    </array>
    <key>StartInterval</key>
    <integer>1800</integer>
</dict>
</plist>

To get these two scripts to run at login, open a terminal session for the user and issue the following commands:

launchctl load -w ~/Library/LaunchAgents/com.example.Kerberos.init.plist
launchctl load -w ~/Library/LaunchAgents/com.example.Kerberos.renew.plist

Has anyone had any success with this since 10.7.4?

I guess I should reprhase this:

I tried the method listed above as well as configuring the krb5.conf file to check out renewable tickets. I did this on a machine running 10.7.4, and now I'm seeing this in the logs:

6/21/12 9:27:18.085 AM authorizationhost: The builtin:krb5authnoverify authorization mechanism has been deprecated. Please configure the authorization PAM stack (/etc/pam.d/authorization) as needed, and use builtin:authenticate mechanism instead.

I checked for MIT leftovers and couldn't find any...

Any ideas?

didn't notice any breakage in 10.7.4. I believe I just touched pam and krb5.conf, but can't check right now.

So to clarify, you are able to obtain renewable tickets and then create a daemon that will renew it without further prompts for authentication?