- Personal or standalone Mac running OS X 10.7 or 10.8.
- Tested on 10.7.x and 10.8.x with and without FileVault whole-disk-encryption.
- You should be comfortable editing system configuration files on your Mac as superuser.
This answer explains how to set up your standalone Mac to get Kerberos tickets on login (but not require a Kerberos login). In greater detail:
- We will set up the Mac to do post-login Kerberos authentication.
- This means it will still be a local login using your local username and password.
- If your local username and password match your Kerberos username and password Mac OS X will attempt to get you Kerberos tickets as you log in.
- If your local username or password do not match your Kerberos username and password, of if your machine is not on the network when you log in, the local login will proceed as usual but you will not get Kerberos tickets.
It turns out this setup is especially useful under Mac OS X Lion and Mountain Lion, because Apple's new version of Kerberos will not automatically ask you to authenticate to Kerberos if a Kerberos (GSSAPI) enabled application launches. You need to get tickets manually via the Terminal, so having them at login can save you a few steps and a failed initial authentication attempt.
- Your Mac OS X username is exactly the same as your Kerberos username.
- Your Mac OS X password is the same as your Kerberos password.
- Kerberos is configured and working on your Mac.
This last step can be accomplished by running the new version of Kerberos Extras for Max OS X. At this point typing kinit in a Terminal window with no additional arguments prompts you for your password and gets you valid Kerberos tickets.
Mac OS X Lion (10.7) and Mountain Lion (10.8) use a Pluggable Authentication Module (PAM) stack to try a variety of authentication mechanisms at login. It will actually try to get you Kerberos tickets without reconfiguring anything. However, this fails by default in the MIT environment because Lion tries to look up your Kerberos principal in OpenDirectory, which we do not use. You can work around this through a small reconfiguration of PAM:
- Make a backup copy of the file /etc/pam.d/authorization
- Edit the file /etc/pam.d/authorization as superuser
- Find the line that begins with:
The file is very short and this is usually the second line after the opening comment.
- Add the key word default_principal to the end of the line like so:
- Find the line that begins with:
- Save your changes to the file and reboot your Mac
If it is on the network when you log in, and all the prerequisites are met, it will now try to automatically get you Kerberos tickets when you log in using your Mac OS X username and password. You can check whether you have tickets by issuing the klist command in a Terminal window.
This also works with pass-through authentication if you have your disk encrypted using FileVault and only a single user account set up. In this scenarion you'll be prompted for your password by FileVault at boot, and you will be automatically logged into your account after boot completes, along with new Kerberos tickets, as long as your machine is on the network.
We've found that if your computer is not on the network Mac OS X Lion (10.7) will create what Apple calls a "placeholder ticket" – basically an empty credentials cache. This has odd side-effects in some Kerberos-savvy applications. Ticket Viewer will display a non-existing ticket with an expiration ticket of 6/13/53 11:59 AM (that's 1953).
Most other Kerberos implementations will not create an empty credentials cache but initial feedback from Apple indicates this is a "feature" of Heimdal and not likely to be corrected. If you don't get a Kerberos ticket on login, running kinit from the command line will still work fine and get you a valid ticket once you have a network connection.