[OpenAFS-port-darwin] Re: Kerberos for Macintosh Login Authentication, Help?

David Botsch dwb7@ccmr.cornell.edu
Mon, 21 Oct 2002 21:31:22 -0400 

There is another edit you need to make to /etc/authorization:

        <key>system.login.console</key>
        <dict>
                <key>eval</key>
                <string>loginwindow_builtin:login,krb5auth:authnoverify,loginwin
dow_builtin:success</string


the edit you put in only gets you kerberos tickets when loggin in but does not
actually authenticate you against kerberos.

On Mon, Oct 21, 2002 at 05:54:03PM -0700, Henry B. Hotz wrote:
> This is really frustrating.  With all the documentation on the web it 
> seems like it should be working now.  It *almost* works.
> 
> I've installed a edu.mit.Kerberos file on a just-upgraded OSX 10.2.1 
> system that didn't have it before.
> 
> >[machotz:~] hotz% more /Library/Preferences/edu.mit.Kerberos
> >[libdefaults]
> >         default_realm = JPL.NASA.GOV
> >[logging]
> >         default = FILE:/KLog
> >[v4 realms]
> >         JPL.NASA.GOV = {
> >                 kdc = eis-fil-afsdb08.jpl.nasa.gov
> >                 kdc = eis-fil-afsdb09.jpl.nasa.gov
> >                 kdc = eis-fil-afsdb10.jpl.nasa.gov
> >                 admin_server = kerberos.jpl.nasa.gov
> >                 default_domain = jpl.nasa.gov
> >                 string_to_key_type = afs_string_to_key
> >         }
> >[v4 domain_realm]
> >         .jpl.nasa.gov = JPL.NASA.GOV
> >         jpl.nasa.gov = JPL.NASA.GOV
> 
> Also modified /etc/authorization as follows:
> 
> ><!-- Do kerberos authentication as a side-effect of loggin in. 
> >Local username/password will be used.
> >  -->
> >         <key>system.login.done</key>
> >         <dict>
> >                 <key>eval</key>
> >                 <string>switch_to_user, krb5auth:login</string>
> >         </dict>
> 
> Added group read access to ~/Library/Preferences/  (Do I really need 
> to do this?)
> 
> >[machotz:~] hotz% ls -ld ~/Library/Preferences/
> >drwxr-x---  94 hotz  staff  3196 Oct 21 17:17 /Users/hotz/Library/Preferences/
> 
> Now kinit/klist/kdestoy work fine.  The Kerberos GUI also works fine. 
> I've restarted the computer and when I log back in klist shows no 
> tickets.  I have not installed the Kerberos Extras, but I don't think 
> I need them.  What else do I need to do to get the login 
> authenticator to work?
> 
> Note that kpasswd does not work, and the /KLog file and console log 
> remain bare of any indications of any problem.
> 
> >[machotz:~] hotz% klist
> >Kerberos 4 ticket cache: 'Initial default ccache'
> >Default Principal: hotz@JPL.NASA.GOV
> >Issued             Expires            Service Principal
> >10/21/02 16:24:59  10/22/02 17:51:20  krbtgt.JPL.NASA.GOV@JPL.NASA.GOV
> >
> >[machotz:~] hotz% kpasswd
> >Kerberos Change Password:
> >Please enter the old password for hotz@JPL.NASA.GOV:
> >Kerberos Change Password Failed: Principal unknown
> >Please enter the old password for hotz@JPL.NASA.GOV:
> 
> kerberos is a CNAME for eis-fil-afsdb08.  It's really running a 
> kaserver (hence the v4 and afs key stuff).  I'm not trying to put my 
> home directory in AFS space, just gain access to AFS automatically on 
> login.
> -- 
> The opinions expressed in this message are mine,
> not those of Caltech, JPL, NASA, or the US Government.
> Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu

-- 
********************************
David William Botsch
Consultant/Advisor II
CCMR Computing Facility
dwb7@ccmr.cornell.edu
********************************