Kerberos support in OS X 10.6 is a huge step backward
Last month I got Kerberos working quite nicely on my macs, thank-you-very-much. This week Apple wrecked it by making Kerberos an absolute nuisance. It wasn’t bad in OS X 10.5.. a bit annoying to setup but the tools were adequate. In 10.6 they threw away the half-decent GUI and gave us a crap dummied-up GUI which means whenever I need to kinit, I have to open a Terminal. More importantly, whenever my *wife* has to kinit, *she* has to open a Terminal.
Not a big thing for me as Terminal is always open… but for her? She’s never opened it once.
Apple… what were you thinking? Kerberos is an absolute PITA now and not nearly as convenient as it could/should be. Certainly nothing like Kerberos support on my Fedora workstations.
There’s plenty to like about Snow Leopard, but when I went through the effort of getting Kerberos working last month, using it on the mac was a joy. Now? Well… all those companies and schools that use kerberos are really going to be thinking twice about upgrading until this gets worked out or someone writes a good app to handle it. I mean, really… how hard is it to have something in the menu bar that you can click on to renew your ticket or get one in the first place? Not so hard (well, for me it would be, but not for someone who knows how to write these little apps). I’m also not the only person to feel this way.
Gah!
Mr.Blah
Hey guys,
Feb 20, 2010 @ 05:02:29was trying to learn more about kerberos with 10.6.2 – super useful info – thanks for posting
Thomas Berglund
Apple has posted a kbase article related to kerberos in 10.6.
Mac OS X v10.6: Generating a Kerberos Ticket Granting Ticket (TGT) during an Active Directory user’s initial login
http://support.apple.com/kb/HT4100
I have tried this workaround, and it works great.
If you want the kerberos ticket to renew when unlocking the screensaver too, you just need to modify the “system.login.screensaver” in the /etc/authorization file
Change the line:
The owner or any administrator can unlock the screensaver.
to:
(Use SecurityAgent.) The owner or any administrator can unlock the screensaver.
Example:
system.login.screensaver
class
Apr 15, 2010 @ 01:59:40rule
comment
(Use SecurityAgent.) The owner or any administrator can unlock the screensaver.
rule
authenticate-session-owner-or-admin
vdanen
Thomas, thanks for sharing that. I’m confused, however. The kbase article you link to, while useful, doesn’t mention anything about the screensaver. Does adding “(Use SecurityAgent)” to the <string> bit really change that behaviour? Do you have a reference for that?
Apr 19, 2010 @ 09:34:21Chris
Hey guys, I was working on the com.apple.Kerberos.renew.plist error, and came to the same solution as Daniel. By changed -B to -R it seems that issue has been resolved.
I have no problems with getting a renewable ticket at login, but I’d like to be able to either get, or renew a ticket when unlocking the screensaver. All of my users are on laptops and they rarely logout. If when they came back into the office they were able to get a ticket without having to logout/login that would be awesome.
So far it looks like it is trying to authenticate coming out of the screensaver because I get this message in the logs “in pam_sm_authenticate(): Failed to determine Kerberos principal name.
I tried the earlier suggestion about modprinc, but those changes don’t seem to have any effect on the tickets that I get, or the error coming out of the screen saver.
Apr 20, 2010 @ 12:59:33Thomas Berglund
@vdanen Yes, adding “(Use SecurityAgent)” does really change that behaviour, at least for me
Try for your self.
1. Modify the /etc/authorization file like described above (I tried to use the tag to prevent the editor from stripping the tags, but that did unfortunatley not help.
2. Type “klist” in a Terminal window and hit enter, look at the time
3. Wait a minute, and hit “ctrl+shift+esc” to set the display to sleep, or activate the screensaver.
4. Move your mouse, authenticate and type “klist” in the same Terminal window, and see if the ticket was renewed.
Sorry, I do not have an article for this, but trust me it works.
Apr 30, 2010 @ 04:25:20Mike from America
Expanding on the workaround to change com.apple.Kerberos.renew.plist to call “kinit -R” instead of “kinit -B,” I’ve created a little shell script that will renew the ticket or prompt the user for a password to request a new ticket if it has expired.
The script is just a one-liner:
#!/bin/sh
/usr/bin/kinit -R || /usr/bin/kinit
Save the script to /usr/local/bin/krenew or something like that and then call krenew from the plist. There may be a way to embed that directly into the plist but when I tried it, launchd interpreted the “||” (logical or) as an argument.
May 05, 2010 @ 09:15:17Jasper
This blog got it wrong.
The functionality is now available in Keychain Access.
A huge step forward…
May 06, 2010 @ 23:08:35vdanen
I think you’ve got it wrong, Jasper. There is no kerberos functionality in Keychain Access unless it’s completely hidden but if that’s the case, please enlighten us as to where it’s hiding in there. I see better support for SSL certificates and CA’s, but absolutely zero having to do with kerberos.
May 06, 2010 @ 23:13:31Jasper
“Ticket Viewer” serves the same purpose as “Kerberos” does.
May 06, 2010 @ 23:31:33Note that Ticket Viewer is accessible from the Keychain Access menu in Keychain Access. As Kerberos Ticket Viewer was under Leopard. And as Keychain First Aid is in both.
vdanen
Ticket Viewer is a completely different app from Keychain Access. Keychain Access just makes it easy to launch it.
But I disagree that Ticket Viewer is a step forward. It misses some (imho) necessary features from Kerberos.app.
May 07, 2010 @ 07:59:46Jasper
To accomplish the tasks that Kerberos can do but Ticket Viewer cannot do, you can either use Kerberos in Snow Leopard, or use the kerberos command line tools such as klist, kdestroy, and kinit.
May 07, 2010 @ 10:49:19Mike from America
[Sorry. 3rd try at this post. If only there was a preview or edit function. I hope I got it right this time.]
This discussion has kind of died but it’s still highly ranked in Google so I’ll post some follow-up information here…
I now completely ignore the System com.apple.Kerberos.renew.plist. The -B option still puts an error to the console every 10 minutes but rather than modify a system file, I just created a /Library/LaunchAgents/com.local.Kerberos.renew.plist with the following ProgramArguments:
<key>ProgramArguments</key>
<array>
<string>/bin/sh</string>
<string>-c</string>
<string>/usr/bin/kinit -R || /usr/bin/kinit</string>
</array>
There’s one more problem with this though: If a kerberos renew fails (e.g., if you’re on a foreign WiFi network and cannot reach your internal-only KDC), launchd will stop trying to renew—even after you return to your home network—due to the KeepAlive-SuccessfulExit condition. To fix this, I’ve added a second launchd job that will manually trigger com.local.Kerberos.renew anytime my network status changes by watching /Library/Preferences/SystemConfiguration/preferences.plist. I call this com.local.Kerberos.renew-helper.plist:
<?xml version=”1.0″ encoding=”UTF-8″?>
Dec 20, 2010 @ 12:54:07<!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN” “http://www.apple.com/DTDs/PropertyList-1.0.dtd”>
<plist version=”1.0″>
<dict>
<key>Label</key>
<string>com.netstupid.Kerberos.renew-helper</string>
<key>ProgramArguments</key>
<array>
<string>/bin/launchctl</string>
<string>start</string>
<string>com.netstupid.Kerberos.renew</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>WatchPaths</key>
<array>
<string>/Library/Preferences/SystemConfiguration/preferences.plist</string>
</array>
</dict>
</plist>
vdanen
Very cool, Mike! I’m going to have to possibly look at that on the laptop. Right now I have my kerberos status displayed using GeekTool, and the script that GeekTool runs detects whether or not there is an active ticket, and if not fires off an automator action asking me if I want to renew. This might be a lot more convenient as I wouldn’t get those popups a) when I’m not at home and b) every time I wake the laptop from sleep. Thanks for sharing!
Dec 20, 2010 @ 13:27:06Yeechang Lee
I’ve had Kerberos single signon in my Linux-based home network for years, and on my OS X clients since 10.3. Unfortunately, 10.3 was the last time I was able to use my Kerberos password to authenticate anywhere outside the login window or sudo at the command line (I have ssh password logins turned off); no luck with 10.4-6.
The tip to insert (Use SecurityAgent.) in the relevant string field in /etc/authorization was just what I was looking for to enable Kerberos in the screensaver. No luck, however; whether I use the long or short version of my login ID, I still have to use the built-in password. Given the language at http://support.apple.com/kb/TS3287 , is Active Directory needed for this method to work?
Apr 16, 2011 @ 12:52:49vdanen
I’m not sure. Sounds like you might be using LDAP for that user? I’ve only ever made it work with using a locally-defined account (so local to OS X), and then the instructions noted above and in my wiki work fine. I’ve never gotten OS X to pull login info properly from LDAP, so I only use LDAP on the Linux workstations (where it works great), but for OS X I have a local account, then setup Kerberos, so that I can use SSH, etc. _from_ OS X to the Linux boxen and use my krb tickets for authentication.
Apr 16, 2011 @ 17:47:45Yeechang Lee
No LDAP (or NIS) used in my network.
This is exactly what I do. From any of my boxes, OS X or Linux, I can use my Kerberos username (the same as the local account) and password to
* log in locally
* log in remotely (if password SSH is enabled)
* use sudo
so that part works well, and has been so for years. It’s using it elsewhere in OS X that continues to stump me.
Apr 16, 2011 @ 20:43:24vdanen
What else are you trying to make it do? I don’t use kerberos auth with sudo (it takes the local password, which is the same, but it doesn’t use tickets). I’ve not been able to make NFSv4 with kerberos work, but NFS on OS X seems fairly dodgy to begin with. The only other thing on OS X that I use kerberos auth with are krb-enabled web sites (like my intranet) and subversion. Safari supports kerberos auth out of the box. Supposedly you can use kerberos with AFP, but I’ve never gotten that to work (truth be told though, I didn’t try overly hard).
So on OS X I use kerberos for: getting a ticket, web sites (Safari and Firefox, but Firefox needs extra tweaking), subversion, and SSH. The only thing that’s missing is NFSv4 (broken badly by the looks of things) and AFP.
Is there some other service in particular you are trying to use kerberos auth with?
Apr 18, 2011 @ 08:51:05Yeechang Lee
I’d like to use my Kerberos password in other places in OS X that I currently have to use the local password for. Besides the already mentioned screensaver, examples include System Preferences, installing a new application, and activating new mounts with NFS Manager.
Apr 18, 2011 @ 14:22:14vdanen
I don’t think you’ll be able to use the kerberos ticket for things like System Preferences, etc. Those non-network services on the system that you’re looking at likely won’t take it (a screensaver can’t use your kerberos auth; you need to provide a password (which you really really want to have otherwise you might as well turn the screensaver off)).
For NFS, like I said, NFSv4 support in OS X isn’t very good. I wouldn’t even go there.
If, however, you do manage to find away to use the kerberos ticket for the local administrative processes (System Prefs, installing new apps) I would love to hear about it! But I don’t think it can be done.
Apr 18, 2011 @ 15:55:49drivel
I could not compile conserver with gssapi support on my OS X 10.7, too bad.
Oct 22, 2011 @ 14:23:37EISBOX » Magic Triangle w/Kerberos in OS X 10.6
[...] quick search on Google yielded a long discussion on Kerberos support (or not) in Mac OS X 10.6 on RedHat Engineer Vincent Danen’s blog, and eventually to a his Wiki discussing Kerberos on [...]
Dec 03, 2011 @ 23:35:19Yeechang Lee
Following up on my comments, I am now able to log in with my Kerbos credentials from the screensaver when on my non-Active Directory home network setup, by editing /etc/pam.d/screensaver. In place of
auth required pam_opendirectory.so nullok
insert
auth sufficient pam_opendirectory.so nullok
auth sufficient pam_krb5.so default_principal
auth required pam_deny.so
(These are the same steps used in my /etc/pam.d/sudo to permit Kerberos authentication there. I don’t know why I didn’t try this with screensaver sooner.)
I still have to use the local account password in System Preferences and elsewhere where the OS X GUI asks for authentication, as PAM isn’t used there.
Jan 06, 2012 @ 18:51:33