Access Keys:
Skip to content (Access Key - 0)

Q: How do I set up my Mac (10.7 or 10.8) to get Kerberos tickets at login?

Context

  • Personal or standalone Mac running OS X 10.7 or 10.8.
  • Tested on 10.7.x and 10.8.x with and without FileVault whole-disk-encryption.
  • You should be comfortable editing system configuration files on your Mac as superuser.

Answer

This answer explains how to set up your standalone Mac to get Kerberos tickets on login (but not require a Kerberos login). In greater detail:

  • We will set up the Mac to do post-login Kerberos authentication.
  • This means it will still be a local login using your local username and password.
  • If your local username and password match your Kerberos username and password Mac OS X will attempt to get you Kerberos tickets as you log in.
  • If your local username or password do not match your Kerberos username and password, of if your machine is not on the network when you log in, the local login will proceed as usual but you will not get Kerberos tickets.

It turns out this setup is especially useful under Mac OS X Lion and Mountain Lion, because Apple's new version of Kerberos will not automatically ask you to authenticate to Kerberos if a Kerberos (GSSAPI) enabled application launches. You need to get tickets manually via the Terminal, so having them at login can save you a few steps and a failed initial authentication attempt.

Steps

1. Make sure your environment meets all the prerequisites:

  • Your Mac OS X username is exactly the same as your Kerberos username.
  • Your Mac OS X password is the same as your Kerberos password.
  • Kerberos is configured and working on your Mac.
    This last step can be accomplished by running the new version of Kerberos Extras for Max OS X. At this point typing kinit in a Terminal window with no additional arguments prompts you for your password and gets you valid Kerberos tickets.

2. Asking for a ticket granting ticket at login:

Mac OS X Lion (10.7) and Mountain Lion (10.8) use a Pluggable Authentication Module (PAM) stack to try a variety of authentication mechanisms at login. It will actually try to get you Kerberos tickets without reconfiguring anything. However, this fails by default in the MIT environment because Lion tries to look up your Kerberos principal in OpenDirectory, which we do not use. You can work around this through a small reconfiguration of PAM:

  1. Make a backup copy of the file /etc/pam.d/authorization
  2. Edit the file /etc/pam.d/authorization as superuser
    • Find the line that begins with:
      auth       optional       pam_krb5.so use_first_pass use_kcminit

      The file is very short and this is usually the second line after the opening comment.

    • Add the key word default_principal to the end of the line like so:
      auth       optional       pam_krb5.so use_first_pass use_kcminit default_principal
  3. Save your changes to the file and reboot your Mac

If it is on the network when you log in, and all the prerequisites are met, it will now try to automatically get you Kerberos tickets when you log in using your Mac OS X username and password. You can check whether you have tickets by issuing the klist command in a Terminal window.

This also works with pass-through authentication if you have your disk encrypted using FileVault and only a single user account set up. In this scenarion you'll be prompted for your password by FileVault at boot, and you will be automatically logged into your account after boot completes, along with new Kerberos tickets, as long as your machine is on the network.

Known issues

Ticket Viewer displays a ticket with an expiration date in the past

We've found that if your computer is not on the network Mac OS X Lion (10.7) will create what Apple calls a "placeholder ticket" – basically an empty credentials cache. This has odd side-effects in some Kerberos-savvy applications. Ticket Viewer will display a non-existing ticket with an expiration ticket of 6/13/53 11:59 AM (that's 1953).

Most other Kerberos implementations will not create an empty credentials cache but initial feedback from Apple indicates this is a "feature" of Heimdal and not likely to be corrected. If you don't get a Kerberos ticket on login, running kinit from the command line will still work fine and get you a valid ticket once you have a network connection.

See also

Community

Documentation and information provided by the MIT Community


Last Modified:

August 30, 2012

Get Help

Request help
from the Help Desk
Report a security incident
to the Security Team
Labels:
kerberos kerberos Delete
lion lion Delete
tickets tickets Delete
login login Delete
kinit kinit Delete
pam pam Delete
c-macos-lion c-macos-lion Delete
c-kerberos-mac c-kerberos-mac Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.
Feedback
This product/service is:
Easy to use
Average
Difficult to use

This article is:
Helpful
Inaccurate
Obsolete
Adaptavist Theme Builder (4.2.3) Powered by Atlassian Confluence 3.5.13, the Enterprise Wiki