Kerberos authentication under Lion

Firstly, thanks to Roy Long and Scott Gallagher for their presentation at the 2012 PSU Mac Admin Conference.

Also, thanks to Rusty Myers for the CLC Package.

Lion no longer uses MIT Kerberos, and has made the switch to Heimdal. This deprecates the krb5authnoverify method and hands kerberos authentication over to pam.d. To enable Kerberos authentication, a /Library/Preferences/edu.mit.Kerberos or /etc/krb5.conf file is needed. It should follow this format:
[libdefaults]
default_realm = CC.COLUMBIA.EDU
[realms]
CC.COLUMBIA.EDU = {
kdc = kerberos.cc.columbia.edu:88
kdc = krb2.cc.columbia.edu:88
admin_server = kerberos.cc.columbia.edu:749
default_domain = cc.columbia.edu
}
[domain_realm]
.cc.columbia.edu = CC.COLUMBIA.EDU
cc.columbia.edu = CC.COLUMBIA.EDU
.columbia.edu = CC.COLUMBIA.EDU
columbia.edu = CC.COLUMBIA.EDU
[logging]
kdc = FILE:/var/log/krb5kdc/kdc.log
admin_server = FILE:/var/log/krb5kdc/kadmin.log

Next we need to make changes to /etc/pam.d/authorization (red indicates deletion, and green indicates changes/additions):
# authorization: auth account
auth sufficient pam_krb5.so use_first_pass default_principal use_kcminit
auth optional pam_ntlm.so use_first_pass
auth required pam_opendirectory.so use_first_pass
account required pam_opendirectory.so

This handles authentication at the login screen, but we still need to update /etc/pam.d/screensaver to handle kerberos authentication:

# screensaver: auth account
auth sufficient pam_krb5.so use_first_pass default_principal use_kcminit
auth required pam_opendirectory.so use_first_pass
account required pam_opendirectory.so
account sufficient pam_self.so
account required pam_group.so no_warn group=admin,wheel fail_safe
account required pam_group.so no_warn deny group=admin,wheel ruser fail_safe

And that’s that. This can also be packaged and deployed to clients via Munki. PSU has a CLC package (though it’ll have to be reworked for Columbia’s environment). The basic steps are:

  1. Setup one client with LDAP
  2. Package the LDAP plist from /Library/Preferences/OpenDirectory/Configurations/LDAPv3
  3. Package the MIT Kerberos file
  4. Package /etc/pam.d/authorization, /etc/pam.d/screensaver
  5. Edit the CLC’s existing preflight to backup copies of the files you’re editing, e.g. MIT Kerberos file, /etc/pam.d/authorization, /etc/pam.d/screensaver, the LDAP plist
  6. Edit the CLC’s existing postflight to add the LDAP server to the machine’s search path and then remove the edit to /etc/authorization.
  7. Profit.
Advertisements