Kerberos on OS X 10.7 (Lion)
So I had upgraded my wife’s MacBook to Lion and discovered that, once again, Apple screwed around with Kerberos. This seems to be a recurring theme (and not a good one). After quite a bit of fighting and figuring, a few things have been sorted out. Once I’ve got it completely figured out, I’ll document it on my wiki but in the meantime (since there is a severe shortage of good info about Kerberos in Lion), here’s the skinny:
- MIT Kerberos has been replaced with Heimdal
- Heimdal seems to prefer UDP over TCP; so if your KDC has a firewall in place to block UDP ports 88 and 749, you probably want to change your firewall rules to allow access to UDP (or you get strange errors: kinit says it can’t reach any defined KDC, Ticket Viewer says you provided the wrong password)
- /Library/Preferences/edu.mit.Kerberos is still a valid configuration file, however you need to remove the quotes (e.g if you have
default_realm = "FOO.CA"you need to change that todefault_realm = FOO.CA). - Subversion (either Lion-supplied or via Fink) does not seem to do GSSAPI negotiation anymore
- Google Chrome on Lion does not seem to do GSSAPI negotiation anymore
- Safari on Lion does work with Kerberized (mod_auth_kerb) websites
- Supposedly you do not need to change /etc/authorization anymore; Lion is using a PAM stack that should give you a ticket upon login (provided your kerberos password and login password are the same (or presumably it is store in your Keychain) — I’ve not tested this yet
- Someone indicated that you can prefix the KDC hostname in /Library/Preferences/edu.mit.Kerberos with “tcp/host” to make Heimdal talk over TCP (preventing the need to open UDP ports), but there is also another indication that this doesn’t work — I’ve not tested this yet either
Anyways, the point is it’s messy. There is an ongoing discussion on the Apple support forums here: https://discussions.apple.com/thread/3189202 so if you’re experiencing some oddness (or getting things to work!) please either note in the comments here or on that discussion thread. I would really like to get subversion and Chrome working with kerberos auth again — those are the only two things preventing me from going forward with Lion on other systems.
brodieb
Unless you’re running OpenDirectory, the PAM trick won’t quite work, because PAM attempts to use your OpenDirectory record to obtain the Kerberos principal for authentication. (See the pam_krb5 man page for details.)
However, you can make it work with a vanilla Kerberos setup by adding “default_principal” to the pam_krb5 line in /etc/pam.d/authorization, assuming that your OS X login name is the same as your Kerberos principal name. I’ve done this on my Lion clients, without making any changes to /etc/authorization, and I’m now getting krbtgt tickets automatically upon login.
Jul 29, 2011 @ 23:38:21Hugh Cole-Baker
I have Google Chrome working with Kerberos auth on Lion (Chrome version 12.0.742.122) – the biggest hurdle is that you have to add the sites you want to use it with to a whitelist, either as a command line option or via MCX preferences. But if you had it working in Snow Leopard, I’d assume you’ve done that already?
Jul 30, 2011 @ 07:28:22vdanen
@brodieb: that works perfectly. Very nice, thank you!
@hugh: hmmm… Maybe it’s due to the wildcarding? I used “–auth-server-whitelist=*foo.com” (where foo.com is the local domain name, and the server I’m trying to get to is http://foo.com). Are you saying if I remove the wildcard it will work?
Aug 02, 2011 @ 22:30:40vdanen
Nope. That didn’t work. What’s your commandline you’re using to call Chrome? I only added the –auth-server= option (there’s a typo above, it is a double dash, not a single dash).
Aug 02, 2011 @ 22:32:45Hugh Cole-Baker
I’m not using a command line option, so I’m not certain what the problem would be with the command line, but have you tried putting a dot after the *, i.e. use “*.foo.com”?
What I did to get it working is setting a managed preference for my user account via MCX, as follows:
1. Install the Server Admin Tools for 10.7 from http://support.apple.com/kb/DL1419
Aug 04, 2011 @ 16:44:022. Open Workgroup Manager, and Cancel when it asks to choose a server to connect to. Then choose View Directories from the Server menu instead.
3. Click on the small globe icon next to the “Viewing Directory …” text and select Local, it should now say Viewing Directory /Local/Default. Then click the lock icon on the right and enter an admin’s credentials.
4. Find your user account and click Preferences in the toolbar, and go to the Details tab.
5. Click the + button to add an app’s preferences and choose Google Chrome. Select it in the list and click the edit button.
6. In the edit window, expand “Always” and add a new key, “Authentication server whitelist”, of type string, and give it the value “*.foo.com”
7. Click Done. You’ll probably have to restart, but after that Chrome should pay attention to that preference setting without any need for command line options.
Philip Paeps
I can get a ticket at login by just adding my kerberos information to the “directory editor”. It’s a bit hidden under “/System/Library/CoreServices/Directory\ Utility.app”.
In there under “users”, you will find your user account (“Philip Paeps” in my case) and in the tree on the right, there’s an “AuthenticationAuthority” tree. There you can add your Kerberos details — in my case: “;Kerberosv5;;philip@PAEPS.CX;PAEPS.CX”. Note the double semicolon and the leading semicolon!
Just follow the example of the LKDC entry.
With that there, I get my tickets at logon and when resuming the screensaver. Unfortunately, things like Mail.app don’t ask for my Kerberos password when tickets expire. A workaround is to start the screensaver and get a new ticket, but that’s very silly (I just kinit again).
If someone could figure out how to convince Mail.app and friends to ask for my Kerberos password again when tickets expire, that would be great!
Aug 05, 2011 @ 15:52:20Noah Abrahamson
What I can’t figure out is how to really set the default realm. In my /etc/krb5.conf file, I’ve indicated my default realm is my usual “stanford.edu” (minus the quote marks), but after I bind to my Open Directory system, I can’t seem to find where to override CRC-ODM.STANFORD.EDU, which is, as the name implies, our OD Master. If I do a kinit, my default realm is the ODM instead of the stanford.edu realm. The Ticket Viewer doesn’t set it permanently. It’s not in /Lib/Prefs/SystemConfig/com.apple.smb.server.plist. I can’t find it in sysctl.
Aug 10, 2011 @ 21:55:17Peter Trondsen
I have been able to get Kerberos to work with Lion Server and Client, in an OD/AD environment. It’s the same setup as Snow Leopard. You first have to get rid of the Local KDC. Here are some commands i used. Now, I have had an issue in testing where the error log filled up with a Local KDC, and I had to recreate it, it’s a bit flaky. I wish Apple would just get rid of the Local KDC. Anyway, here are the commands:
Destroy Local KDC:
1. sudo rm -rf /var/db/krb5kdc
2. sudo rm -rf /etc/krb5.keytab
3. sudo rm -rf /Library/Preferences/edu.mit.Kerberos
4. Bind the Server to Active Directory.
Then run the following commands:
5. sudo dsconfigad -enablesso (Was -enableSSO in previous OS’s)
6. sudo klist -ke (This doesn’t seem work in Lion)
7. defaults read /Library/Preferences/com.apple.AppleFileServer kerberosPrincipal (Check your AFP REALM)
8. grep “realm” /var/db/smb.conf (Check your SMB REALM)
9. Open Server Admin, change Open Directory from Connected to a Directory to Open Directory Master (Stay Connected)
10. Open Directory Utility, under Directory Editor, select Config, and rename KerberosKDC and KerberosConfig to KerberosKDC_DONOT and KerberosConfig_DONOT.
11. Bind your clients to the Active Directory and Open Directory Servers.
That’s it. Kerberos should now work.
Aug 20, 2011 @ 10:44:37Jason Bush
Anybody having issues with Kerberos and Radius? I keep getting tickets that have the wrong year specifically 1953.
Sep 03, 2011 @ 00:00:40Kevin
Jason I am seeing the same thing but only when not connected to our companies network. When connected to the company network and logging in using my network creds I get a good ticket. If log in off the network I get a ticket that expires in 1953. I then VPN into the network and still do not receive and updated ticket. If i lock my screen and then log back in I get a correct ticket.
anyone have any ideas?
Sep 09, 2011 @ 15:26:13Cerebus
If anyone’s still reading this thread, Lion is performing a complete AS subprotocol at screen unlock. This makes sense, as it’s the only way to ensure the network account credentials are fresh for offline use (Windows has the same behavior at unlock).
The problem is on Lion this creates a *new* instance of the ccache. If you’re VPN’d and have a valid ticket, lock the screen, drop the VPN (e.g., timeout), and then unlock the screen, you will have a *second* ccache with no valid tickets in it, *plus* the ccache with your (still unexpired) tickets. If you VPN back in, some apps will see the current empty ccache and some will see the old ccache and attempt to use those tickets.
Very confusing.
– C
May 22, 2012 @ 06:03:18Will
@Cerebus You can switch the default ccache using the kswitch command. Once there, you should be able to kdestroy the newer cache and switch the the old (but still valid) one.
Jun 06, 2012 @ 07:40:00Harry
Anyone had any luck with the 1953 (in my case 1955) tickets created at login when not on the domain? It’s messing with mac users here – especially since I got kerberos working nicely in OD/AD!!
Aug 05, 2012 @ 19:10:16