Tag Archives: kerberos

Get to know Daylite CRM for Macs

November 23, 2009

Two new mac tips on TechRepublic… last week’s is Configure OS X for Kerberos single sign-on authentication which talks about how to configure Kerberos with OS X. This week the tip is Get to know Daylite CRM for Macs which talks about the Daylite contact management software for OS X.

Daylite is one of my most-used programs that I’ve been using for years on the mac. I absolutely love it. It gets me my contacts and calendar, and other assorted goodies, on my desktop, my laptop, and my iPhone. Multi-user, networked, allowing for offline databases that sync back to the online database… it’s expensive, but it’s pure goodness. Sure, it’s had it’s fair share of issues and I’ve had one catastrophe with it a few years ago, but I love it and use it daily. Highly recommended if you need something industrial strength and find that Address Book and iCal just don’t cut it.

Also tagged , , No Comments

Two new mac tips

November 8, 2009

Missed two mac-related techmails from the previous weeks. The first is Learn to use the improved Snow Leopard Services menu which talks about the OS X 10.6 much overhauled services menu and some of the cool things you can do with it such as making your own Automator actions that hook into the service, enabling and disabling services to keep your services menu clutter-free and pertinent to how you work.

The second is Regaining Kerberos support in OS X 10.6 for Single-Sign On authentication which talks about kerberos and OS X 10.6 and how Apple butchered it (compared to how it worked in 10.5) and how you can work around some of the limitations. Keep in mind this tip was written a while ago, so there is updated info in the comments of a previous blog post (Kerberos Support in 10.6 is a Huge Step Backward).

Also tagged , No Comments

Kerberos support in OS X 10.6 is a huge step backward

September 3, 2009

Last month I got Kerberos working quite nicely on my macs, thank-you-very-much. This week Apple wrecked it by making Kerberos an absolute nuisance. It wasn’t bad in OS X 10.5.. a bit annoying to setup but the tools were adequate. In 10.6 they threw away the half-decent GUI and gave us a crap dummied-up GUI which means whenever I need to kinit, I have to open a Terminal. More importantly, whenever my *wife* has to kinit, *she* has to open a Terminal.

Not a big thing for me as Terminal is always open… but for her? She’s never opened it once.

Apple… what were you thinking? Kerberos is an absolute PITA now and not nearly as convenient as it could/should be. Certainly nothing like Kerberos support on my Fedora workstations.

There’s plenty to like about Snow Leopard, but when I went through the effort of getting Kerberos working last month, using it on the mac was a joy. Now? Well… all those companies and schools that use kerberos are really going to be thinking twice about upgrading until this gets worked out or someone writes a good app to handle it. I mean, really… how hard is it to have something in the menu bar that you can click on to renew your ticket or get one in the first place? Not so hard (well, for me it would be, but not for someone who knows how to write these little apps). I’m also not the only person to feel this way.

Gah!

Also tagged , 61 Comments

Kerberos fun Pt 2

July 16, 2009

Ok, this time the word “fun” is sarcastic. I had it working this afternoon and couldn’t figure out why it all of a sudden stopped working or… at least… subversion via kerberos. I was getting this error whenever I did a “svn ls http://svn.example.com/svn/anthill/ on my server): 

ah_post_send (#0), code is 401 (want 401), WWW-Authenticate is Negotiate, Basic realm="Kerberos Login"
auth: Got challenge (code 401).
auth: Got 'Negotiate' challenge.
auth: Got 'Basic' challenge.
auth: Trying Negotiate challenge...
2009-07-16 20:49:37.593 svn[6357:10b] *** NSInvocation: warning: object 0x1005dc040 of class 'ReplicaFile' does not implement methodSignatureForSelector: -- trouble ahead
2009-07-16 20:49:37.594 svn[6357:10b] *** NSInvocation: warning: object 0x1005dc040 of class 'ReplicaFile' does not implement doesNotRecognizeSelector: -- abort
[1]    6357 trace trap  svn -vv ls http://svn.example.com/svn/anthill/

Googling it showed one other guy who had it and never had an answer to his question.

Persistence is the codeword of the day, so I finally figured it out. Seems that OS X does things a little wonky with kerberos. A tutorial I read about using mod_auth_kerb indicated you had to use the hostname of the server, regardless of any virtualhost names (so my server name is hades, the virtualhost alias is svn; the made-up domain is, originally, example.com). Safari kept popping up the authentication dialog whenever I tried accessing the repository, which is not at all what I wanted. I had to ktadd a new principle (HTTP/svn.example.com) with the virtualhost alias (which the tutorial said _not_ to do). Then Safari started working, but svn bombed.

Of course, in Fedora 11, none of this was a problem. But here’s the weird part: klist on F11 showed HTTP/hades.example.com (from subversion or firefox), whereas on OS X subversion crapped out and crashed and Safari showed HTTP/svn.example.com. So I decided to see what firefox on OS X would do and it (properly) used HTTP/hades.example.com.

Now, the weirdest part is that svn is working again! Why? For some reason (and I’m not quite sure whether I should be blaming OS X here or neon or a combination of the two), svn is not initiating obtaining a ticket for HTTP/hades.example.com. I’m not sure why, because on F11 it did. If I kdestroy and kinit (so I only have krbtgt’s ticket), svn craps out. However, once I used Firefox to obtain the ticket, svn could re-use it and all worked well. If I remove the HTTP/svn.example.com principle on the server, svn still doesn’t work and neither does Safari (I get the login dialog). Obviously that’s not my problem. I’m wondering if these Collab binaries built for OS X are messed up somehow; I’ll have to try from fink or build from source.

This was like pulling teeth tonight. Definitely an interesting puzzle that I probably could have done without. It’ll be interesting to see if other svn builds on OS X do the same thing (of course, I could dispense with making svn use GSSAPI for this, but half the fun is seeing how many passwords I _don’t_ need). At this point I have no real idea why svn even worked at all in the first place — unless during the course of testing with Firefox I already had HTTP/hades.example.com’s ticket. Hmmm….

Also tagged , , 2 Comments

Kerberos fun

July 16, 2009

This actually isn’t a sarcastic title, for once. I’m actually having a blast fiddling with Kerberos these last few days. I was put into a position to do some kerberos debugging for work, so had to re-setup a kerberos realm at home to do the testing. Of course, at the time I also updated my Using Kerberos 5 for Single Sign-On Authentication which was a little out of date. So I updated that to be relevant to RHEL rather than Annvix, and fixed a few bits that were out-dated.

Then I did more poking around and figured out a few bits that were preventing me from actually using it years ago when I first setup a kerberos realm (didn’t seem overly useful to me at the time). I’ve got my OS X workstation kerberized which was… not as straight-forward as I would hope, but not awful (LDAP authentication from OpenLDAP is another matter entirely… still haven’t nailed that yet). So right now on my network I have my workstation, my server, and two vm’s kerberized — just for SSH now (which doesn’t seem really amazing since I’ve been using SSH keys for years so no passwords, but this seems even more hands-off and will help with future vm deployments since it should all be out-of-the-box).

Then I’ve been poking around and found that you can hook Mediawiki up to LDAP/Kerberos for auth. I never knew that. All of a sudden this seems a lot cooler. Oh, and subversion apparently works with kerberos (using mod_auth_kerb). Then, the icing on the cake was to see a python-kerberos module which makes this *way* too interesting to ignore since I’ve been doing some python coding recently and have really enjoyed it, and some future projects/ideas could really benefit from some kerberos love.

Anyways, as I figure new bits out, I’ll be updating my linsec.ca wiki article — the info is out there but some of it isn’t the easiest to grok. Hopefully I can make it a bit more accessible/readable in the future.

Also tagged , 1 Comment

Kerberos 5 authentication paper

July 16, 2005

Just finished the first draft of my Using Kerberos 5 for Single Sign-On Authentication paper. Needs to be re-read and proofed and definitely needs some adding (i.e. adding Windows XP and Mac OS X clients, integrating with OpenLDAP, etc.). but for a starter, it’s pretty good (I needed it to document the setup and testing of kerberos for security update testing anyways). Not bad… only 2 days of work to get it all figured out and written, although I think the server-side stuff will be the easy part and integrating with OS X and XP may be more of a PITA.

Also tagged 2 Comments