Kerberos authentication under Lion

Firstly, thanks to Roy Long and Scott Gallagher for their presentation at the 2012 PSU Mac Admin Conference.

Also, thanks to Rusty Myers for the CLC Package.

Lion no longer uses MIT Kerberos, and has made the switch to Heimdal. This deprecates the krb5authnoverify method and hands kerberos authentication over to pam.d. To enable Kerberos authentication, a /Library/Preferences/ or /etc/krb5.conf file is needed. It should follow this format:
default_realm = CC.COLUMBIA.EDU
kdc =
kdc =
admin_server =
default_domain =
kdc = FILE:/var/log/krb5kdc/kdc.log
admin_server = FILE:/var/log/krb5kdc/kadmin.log

Next we need to make changes to /etc/pam.d/authorization (red indicates deletion, and green indicates changes/additions):
# authorization: auth account
auth sufficient use_first_pass default_principal use_kcminit
auth optional use_first_pass
auth required use_first_pass
account required

This handles authentication at the login screen, but we still need to update /etc/pam.d/screensaver to handle kerberos authentication:

# screensaver: auth account
auth sufficient use_first_pass default_principal use_kcminit
auth required use_first_pass
account required
account sufficient
account required no_warn group=admin,wheel fail_safe
account required no_warn deny group=admin,wheel ruser fail_safe

And that’s that. This can also be packaged and deployed to clients via Munki. PSU has a CLC package (though it’ll have to be reworked for Columbia’s environment). The basic steps are:

  1. Setup one client with LDAP
  2. Package the LDAP plist from /Library/Preferences/OpenDirectory/Configurations/LDAPv3
  3. Package the MIT Kerberos file
  4. Package /etc/pam.d/authorization, /etc/pam.d/screensaver
  5. Edit the CLC’s existing preflight to backup copies of the files you’re editing, e.g. MIT Kerberos file, /etc/pam.d/authorization, /etc/pam.d/screensaver, the LDAP plist
  6. Edit the CLC’s existing postflight to add the LDAP server to the machine’s search path and then remove the edit to /etc/authorization.
  7. Profit.