[OpenAFS-port-darwin] Re: Kerberos for Macintosh Login Authentication, Help?

David Botsch dwb7@ccmr.cornell.edu
Tue, 22 Oct 2002 17:27:49 -0400 

Ok. Then, the user must exist locally, but I believe the username will 
need to be the same as that on the kerberos server (and your 
edu.mit.Kerberos must be set up correctly). You don't need the edit I 
suggested, just the system.login.done one which will get you tickets 
after logging in.

On 2002.10.22 16:07 Henry B. Hotz wrote:
> At 9:31 PM -0400 10/21/02, David Botsch wrote:
>> There is another edit you need to make to /etc/authorization:
>> 
>>         <key>system.login.console</key>
>>         <dict>
>>                 <key>eval</key>
>> 
>> <string>loginwindow_builtin:login,krb5auth:authnoverify,loginwindow_builtin:success</string
>> 
>> 
>> the edit you put in only gets you kerberos tickets when loggin in 
>> but does not
>> actually authenticate you against kerberos.
> 
> I don't want login dependent on having a network connection, much 
> less having the server running properly.  I just want to get a ticket 
> if it's possible.
> 
> Do I still need to do the extra edit?  My interpretation of the web 
> pages was that I didn't need it for my loose dependence.
> 
> I think I'm asking a real dumb, newby type question.  If the built-in 
> KfM stuff weren't so new I'd feel really stupid.  Maybe.
> 
> Thanks for responding!
> 
> On Mon, Oct 21, 2002 at 05:54:03PM -0700, Henry B. Hotz wrote:
>>  This is really frustrating.  With all the documentation on the web 
>> it
>>  seems like it should be working now.  It *almost* works.
>> 
>>  I've installed a edu.mit.Kerberos file on a just-upgraded OSX 10.2.1
>>  system that didn't have it before.
>> 
>>  >[machotz:~] hotz% more /Library/Preferences/edu.mit.Kerberos
>>  >[libdefaults]
>>  >         default_realm = JPL.NASA.GOV
>>  >[logging]
>>  >         default = FILE:/KLog
>>  >[v4 realms]
>>  >         JPL.NASA.GOV = {
>>  >                 kdc = eis-fil-afsdb08.jpl.nasa.gov
>>  >                 kdc = eis-fil-afsdb09.jpl.nasa.gov
>>  >                 kdc = eis-fil-afsdb10.jpl.nasa.gov
>>  >                 admin_server = kerberos.jpl.nasa.gov
>>  >                 default_domain = jpl.nasa.gov
>>  >                 string_to_key_type = afs_string_to_key
>>  >         }
>>  >[v4 domain_realm]
>>  >         .jpl.nasa.gov = JPL.NASA.GOV
>>  >         jpl.nasa.gov = JPL.NASA.GOV
>> 
>>  Also modified /etc/authorization as follows:
>> 
>>  ><!-- Do kerberos authentication as a side-effect of loggin in.
>>  >Local username/password will be used.
>>  >  -->
>>  >         <key>system.login.done</key>
>>  >         <dict>
>>  >                 <key>eval</key>
>>  >                 <string>switch_to_user, krb5auth:login</string>
>>  >         </dict>
>> 
>>  Added group read access to ~/Library/Preferences/  (Do I really need
>>  to do this?)
>> 
>>  >[machotz:~] hotz% ls -ld ~/Library/Preferences/
>>  >drwxr-x---  94 hotz  staff  3196 Oct 21 17:17 
>> /Users/hotz/Library/Preferences/
>> 
>>  Now kinit/klist/kdestoy work fine.  The Kerberos GUI also works 
>> fine.
>>  I've restarted the computer and when I log back in klist shows no
>>  tickets.  I have not installed the Kerberos Extras, but I don't 
>> think
>>  I need them.  What else do I need to do to get the login
>>  authenticator to work?
>> 
>>  Note that kpasswd does not work, and the /KLog file and console log
>>  remain bare of any indications of any problem.
>> 
>>  >[machotz:~] hotz% klist
>>  >Kerberos 4 ticket cache: 'Initial default ccache'
>>  >Default Principal: hotz@JPL.NASA.GOV
>>  >Issued             Expires            Service Principal
>>  >10/21/02 16:24:59  10/22/02 17:51:20  
>> krbtgt.JPL.NASA.GOV@JPL.NASA.GOV
>>  >
>>  >[machotz:~] hotz% kpasswd
>>  >Kerberos Change Password:
>>  >Please enter the old password for hotz@JPL.NASA.GOV:
>>  >Kerberos Change Password Failed: Principal unknown
>>  >Please enter the old password for hotz@JPL.NASA.GOV:
>> 
>>  kerberos is a CNAME for eis-fil-afsdb08.  It's really running a
>>  kaserver (hence the v4 and afs key stuff).  I'm not trying to put my
>>  home directory in AFS space, just gain access to AFS automatically 
>> on
>>  login.
>>  --
>>  The opinions expressed in this message are mine,
>>  not those of Caltech, JPL, NASA, or the US Government.
>>  Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu
> 
>-- 
> The opinions expressed in this message are mine,
> not those of Caltech, JPL, NASA, or the US Government.
> Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu

-- 
********************************
David William Botsch
Consultant/Advisor II
CCMR Computing Facility
dwb7@ccmr.cornell.edu
********************************