Access Keys:
Skip to content (Access Key - 0)

How do I set up my Mac to get Kerberos tickets at login?

Context

  • Personal or standalone Mac running OS X 10.7 or 10.8.
  • Tested on 10.7.x and 10.8.x with and without FileVault whole-disk-encryption.
  • You should be comfortable editing system configuration files on your Mac as superuser.

Answer

This answer explains how to set up your standalone Mac to get Kerberos tickets on login (but not require a Kerberos login). In greater detail:

  • We will set up the Mac to do post-login Kerberos authentication.
  • This means it will still be a local login using your local username and password.
  • If your local username and password match your Kerberos username and password Mac OS X will attempt to get you Kerberos tickets as you log in.
  • If your local username or password do not match your Kerberos username and password, of if your machine is not on the network when you log in, the local login will proceed as usual but you will not get Kerberos tickets.

It turns out this setup is especially useful under Mac OS X Lion and Mountain Lion, because Apple's new version of Kerberos will not automatically ask you to authenticate to Kerberos if a Kerberos (GSSAPI) enabled application launches. You need to get tickets manually via the Terminal, so having them at login can save you a few steps and a failed initial authentication attempt.

Steps

1. Make sure your environment meets all the prerequisites:

  • Your Mac OS X username is exactly the same as your Kerberos username.
  • Your Mac OS X password is the same as your Kerberos password.
  • Kerberos is configured and working on your Mac.
    This last step can be accomplished by running the new version of Kerberos Extras for Max OS X. At this point typing kinit in a Terminal window with no additional arguments prompts you for your password and gets you valid Kerberos tickets.

2. Asking for a ticket granting ticket at login:

Mac OS X Lion (10.7) and Mountain Lion (10.8) use a Pluggable Authentication Module (PAM) stack to try a variety of authentication mechanisms at login. It will actually try to get you Kerberos tickets without reconfiguring anything. However, this fails by default in the MIT environment because Lion tries to look up your Kerberos principal in OpenDirectory, which we do not use. You can work around this through a small reconfiguration of PAM:

  1. Make a backup copy of the file /etc/pam.d/authorization
  2. Edit the file /etc/pam.d/authorization as superuser
    • Find the line that begins with:
      auth       optional       pam_krb5.so use_first_pass use_kcminit

      The file is very short and this is usually the second line after the opening comment.

    • Add the key word default_principal to the end of the line like so:
      auth       optional       pam_krb5.so use_first_pass use_kcminit default_principal
  3. Save your changes to the file and reboot your Mac

If it is on the network when you log in, and all the prerequisites are met, it will now try to automatically get you Kerberos tickets when you log in using your Mac OS X username and password. You can check whether you have tickets by issuing the klist command in a Terminal window.

This also works with pass-through authentication if you have your disk encrypted using FileVault and only a single user account set up. In this scenario you'll be prompted for your password by FileVault at boot, and you will be automatically logged into your account after boot completes, along with new Kerberos tickets, as long as your machine is on the network.

Extra credit

If you have installed OpenAFS on your Mac (unsupported!) and you've successfully set up your Mac to get Kerberos tickets on login as described in this article, you may also want to configure your account to get AFS tokens. You can do so by adding the following to your .bash_profile configuration file in your home directory.

# Test for a valid ticket granting ticket and get AFS tokens if present.
# Outputs are all sent to /dev/null because we don't care if it fails.
# "klist" and "aklog" need to be in the user's path.
klist -s &> /dev/null
if [ $? = 0 ]; then
    aklog &> /dev/null
fi

See also

  • [Can I install OpenAFS on Windows or my Macintosh?]

Community

Documentation and information provided by the MIT Community


Last Modified:

November 22, 2016

Get Help

Request help
from the Help Desk
Report a security incident
to the Security Team
Labels:
kerberos kerberos Delete
lion lion Delete
tickets tickets Delete
login login Delete
kinit kinit Delete
pam pam Delete
c-kerberos-mac c-kerberos-mac Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.
Feedback
This product/service is:
Easy to use
Average
Difficult to use

This article is:
Helpful
Inaccurate
Obsolete
Adaptavist Theme Builder (4.2.3) Powered by Atlassian Confluence 3.5.13, the Enterprise Wiki