[OpenAFS-port-darwin] Re: Kerberos for Macintosh Login Authentication, Help?
Scott McGuire
smcguire@MIT.EDU
Mon, 21 Oct 2002 21:34:16 -0400
At 5:54 PM -0700 10/21/02, Henry B. Hotz wrote:
>Also modified /etc/authorization as follows:
>
>><!-- Do kerberos authentication as a side-effect of loggin in.
>>Local username/password will be used.
>> -->
>> <key>system.login.done</key>
>> <dict>
>> <key>eval</key>
>> <string>switch_to_user, krb5auth:login</string>
>> </dict>
>
>Now kinit/klist/kdestoy work fine. The Kerberos GUI also works
>fine. I've restarted the computer and when I log back in klist shows
>no tickets. I have not installed the Kerberos Extras, but I don't
>think I need them. What else do I need to do to get the login
>authenticator to work?
I can help with this part of your questions. The originally
published Apple documentation for the authenticator had a typo in it.
You need to eliminate the space between "switch_to_user" and
"krb5auth:login", that is, the line should read:
<string>switch_to_user,krb5auth:login</string>
You should re-read and check your changes against the current version
of the "Mac OS X 10.2: How to Enable Kerberos Authentication for
Login Window" document, which has had a few problems corrected since
it was first released:
<http://docs.info.apple.com/article.html?artnum=107154>
but removing the space should allow getting Kerberos tickets as a
side effect of logging in.
--
Scott McGuire / smcguire@mit.edu
MIT Information Systems Macintosh Developer