[OpenAFS-port-darwin] Re: Kerberos for Macintosh Login Authentication, Help?
David Botsch
dwb7@ccmr.cornell.edu
Tue, 22 Oct 2002 17:27:49 -0400
Ok. Then, the user must exist locally, but I believe the username will
need to be the same as that on the kerberos server (and your
edu.mit.Kerberos must be set up correctly). You don't need the edit I
suggested, just the system.login.done one which will get you tickets
after logging in.
On 2002.10.22 16:07 Henry B. Hotz wrote:
> At 9:31 PM -0400 10/21/02, David Botsch wrote:
>> There is another edit you need to make to /etc/authorization:
>>
>> <key>system.login.console</key>
>> <dict>
>> <key>eval</key>
>>
>> <string>loginwindow_builtin:login,krb5auth:authnoverify,loginwindow_builtin:success</string
>>
>>
>> the edit you put in only gets you kerberos tickets when loggin in
>> but does not
>> actually authenticate you against kerberos.
>
> I don't want login dependent on having a network connection, much
> less having the server running properly. I just want to get a ticket
> if it's possible.
>
> Do I still need to do the extra edit? My interpretation of the web
> pages was that I didn't need it for my loose dependence.
>
> I think I'm asking a real dumb, newby type question. If the built-in
> KfM stuff weren't so new I'd feel really stupid. Maybe.
>
> Thanks for responding!
>
> On Mon, Oct 21, 2002 at 05:54:03PM -0700, Henry B. Hotz wrote:
>> This is really frustrating. With all the documentation on the web
>> it
>> seems like it should be working now. It *almost* works.
>>
>> I've installed a edu.mit.Kerberos file on a just-upgraded OSX 10.2.1
>> system that didn't have it before.
>>
>> >[machotz:~] hotz% more /Library/Preferences/edu.mit.Kerberos
>> >[libdefaults]
>> > default_realm = JPL.NASA.GOV
>> >[logging]
>> > default = FILE:/KLog
>> >[v4 realms]
>> > JPL.NASA.GOV = {
>> > kdc = eis-fil-afsdb08.jpl.nasa.gov
>> > kdc = eis-fil-afsdb09.jpl.nasa.gov
>> > kdc = eis-fil-afsdb10.jpl.nasa.gov
>> > admin_server = kerberos.jpl.nasa.gov
>> > default_domain = jpl.nasa.gov
>> > string_to_key_type = afs_string_to_key
>> > }
>> >[v4 domain_realm]
>> > .jpl.nasa.gov = JPL.NASA.GOV
>> > jpl.nasa.gov = JPL.NASA.GOV
>>
>> Also modified /etc/authorization as follows:
>>
>> ><!-- Do kerberos authentication as a side-effect of loggin in.
>> >Local username/password will be used.
>> > -->
>> > <key>system.login.done</key>
>> > <dict>
>> > <key>eval</key>
>> > <string>switch_to_user, krb5auth:login</string>
>> > </dict>
>>
>> Added group read access to ~/Library/Preferences/ (Do I really need
>> to do this?)
>>
>> >[machotz:~] hotz% ls -ld ~/Library/Preferences/
>> >drwxr-x--- 94 hotz staff 3196 Oct 21 17:17
>> /Users/hotz/Library/Preferences/
>>
>> Now kinit/klist/kdestoy work fine. The Kerberos GUI also works
>> fine.
>> I've restarted the computer and when I log back in klist shows no
>> tickets. I have not installed the Kerberos Extras, but I don't
>> think
>> I need them. What else do I need to do to get the login
>> authenticator to work?
>>
>> Note that kpasswd does not work, and the /KLog file and console log
>> remain bare of any indications of any problem.
>>
>> >[machotz:~] hotz% klist
>> >Kerberos 4 ticket cache: 'Initial default ccache'
>> >Default Principal: hotz@JPL.NASA.GOV
>> >Issued Expires Service Principal
>> >10/21/02 16:24:59 10/22/02 17:51:20
>> krbtgt.JPL.NASA.GOV@JPL.NASA.GOV
>> >
>> >[machotz:~] hotz% kpasswd
>> >Kerberos Change Password:
>> >Please enter the old password for hotz@JPL.NASA.GOV:
>> >Kerberos Change Password Failed: Principal unknown
>> >Please enter the old password for hotz@JPL.NASA.GOV:
>>
>> kerberos is a CNAME for eis-fil-afsdb08. It's really running a
>> kaserver (hence the v4 and afs key stuff). I'm not trying to put my
>> home directory in AFS space, just gain access to AFS automatically
>> on
>> login.
>> --
>> The opinions expressed in this message are mine,
>> not those of Caltech, JPL, NASA, or the US Government.
>> Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu
>
>--
> The opinions expressed in this message are mine,
> not those of Caltech, JPL, NASA, or the US Government.
> Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu
--
********************************
David William Botsch
Consultant/Advisor II
CCMR Computing Facility
dwb7@ccmr.cornell.edu
********************************