Kerberos authentication under Lion

Firstly, thanks to Roy Long and Scott Gallagher for their presentation at the 2012 PSU Mac Admin Conference.

Also, thanks to Rusty Myers for the CLC Package.

Lion no longer uses MIT Kerberos, and has made the switch to Heimdal. This deprecates the krb5authnoverify method and hands kerberos authentication over to pam.d. To enable Kerberos authentication, a /Library/Preferences/edu.mit.Kerberos or /etc/krb5.conf file is needed. It should follow this format:
[libdefaults]
default_realm = CC.COLUMBIA.EDU
[realms]
CC.COLUMBIA.EDU = {
kdc = kerberos.cc.columbia.edu:88
kdc = krb2.cc.columbia.edu:88
admin_server = kerberos.cc.columbia.edu:749
default_domain = cc.columbia.edu
}
[domain_realm]
.cc.columbia.edu = CC.COLUMBIA.EDU
cc.columbia.edu = CC.COLUMBIA.EDU
.columbia.edu = CC.COLUMBIA.EDU
columbia.edu = CC.COLUMBIA.EDU
[logging]
kdc = FILE:/var/log/krb5kdc/kdc.log
admin_server = FILE:/var/log/krb5kdc/kadmin.log

Next we need to make changes to /etc/pam.d/authorization (red indicates deletion, and green indicates changes/additions):
# authorization: auth account
auth sufficient pam_krb5.so use_first_pass default_principal use_kcminit
auth optional pam_ntlm.so use_first_pass
auth required pam_opendirectory.so use_first_pass
account required pam_opendirectory.so

This handles authentication at the login screen, but we still need to update /etc/pam.d/screensaver to handle kerberos authentication:

# screensaver: auth account
auth sufficient pam_krb5.so use_first_pass default_principal use_kcminit
auth required pam_opendirectory.so use_first_pass
account required pam_opendirectory.so
account sufficient pam_self.so
account required pam_group.so no_warn group=admin,wheel fail_safe
account required pam_group.so no_warn deny group=admin,wheel ruser fail_safe

And that’s that. This can also be packaged and deployed to clients via Munki. PSU has a CLC package (though it’ll have to be reworked for Columbia’s environment). The basic steps are:

  1. Setup one client with LDAP
  2. Package the LDAP plist from /Library/Preferences/OpenDirectory/Configurations/LDAPv3
  3. Package the MIT Kerberos file
  4. Package /etc/pam.d/authorization, /etc/pam.d/screensaver
  5. Edit the CLC’s existing preflight to backup copies of the files you’re editing, e.g. MIT Kerberos file, /etc/pam.d/authorization, /etc/pam.d/screensaver, the LDAP plist
  6. Edit the CLC’s existing postflight to add the LDAP server to the machine’s search path and then remove the edit to /etc/authorization.
  7. Profit.
Advertisements

4 thoughts on “Kerberos authentication under Lion

  1. Pingback: Kerberos Authentication in Lion and Mt. Lion | Electric Box – Blog

  2. Hello. Is there a way to protect these files? It seems that after OS patches, these changes are reset to default… Thanks!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s