[OpenAFS-port-darwin] Re: Kerberos for Macintosh Login Authentication, Help?

Henry B. Hotz hotz@jpl.nasa.gov
Mon, 21 Oct 2002 17:54:03 -0700 

This is really frustrating.  With all the documentation on the web it 
seems like it should be working now.  It *almost* works.

I've installed a edu.mit.Kerberos file on a just-upgraded OSX 10.2.1 
system that didn't have it before.

>[machotz:~] hotz% more /Library/Preferences/edu.mit.Kerberos
>[libdefaults]
>         default_realm = JPL.NASA.GOV
>[logging]
>         default = FILE:/KLog
>[v4 realms]
>         JPL.NASA.GOV = {
>                 kdc = eis-fil-afsdb08.jpl.nasa.gov
>                 kdc = eis-fil-afsdb09.jpl.nasa.gov
>                 kdc = eis-fil-afsdb10.jpl.nasa.gov
>                 admin_server = kerberos.jpl.nasa.gov
>                 default_domain = jpl.nasa.gov
>                 string_to_key_type = afs_string_to_key
>         }
>[v4 domain_realm]
>         .jpl.nasa.gov = JPL.NASA.GOV
>         jpl.nasa.gov = JPL.NASA.GOV

Also modified /etc/authorization as follows:

><!-- Do kerberos authentication as a side-effect of loggin in. 
>Local username/password will be used.
>  -->
>         <key>system.login.done</key>
>         <dict>
>                 <key>eval</key>
>                 <string>switch_to_user, krb5auth:login</string>
>         </dict>

Added group read access to ~/Library/Preferences/  (Do I really need 
to do this?)

>[machotz:~] hotz% ls -ld ~/Library/Preferences/
>drwxr-x---  94 hotz  staff  3196 Oct 21 17:17 /Users/hotz/Library/Preferences/

Now kinit/klist/kdestoy work fine.  The Kerberos GUI also works fine. 
I've restarted the computer and when I log back in klist shows no 
tickets.  I have not installed the Kerberos Extras, but I don't think 
I need them.  What else do I need to do to get the login 
authenticator to work?

Note that kpasswd does not work, and the /KLog file and console log 
remain bare of any indications of any problem.

>[machotz:~] hotz% klist
>Kerberos 4 ticket cache: 'Initial default ccache'
>Default Principal: hotz@JPL.NASA.GOV
>Issued             Expires            Service Principal
>10/21/02 16:24:59  10/22/02 17:51:20  krbtgt.JPL.NASA.GOV@JPL.NASA.GOV
>
>[machotz:~] hotz% kpasswd
>Kerberos Change Password:
>Please enter the old password for hotz@JPL.NASA.GOV:
>Kerberos Change Password Failed: Principal unknown
>Please enter the old password for hotz@JPL.NASA.GOV:

kerberos is a CNAME for eis-fil-afsdb08.  It's really running a 
kaserver (hence the v4 and afs key stuff).  I'm not trying to put my 
home directory in AFS space, just gain access to AFS automatically on 
login.
-- 
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu