Home Forums Software InstaDMG 10.6 and Kerberos TGTs at Initial Login

Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts
  • April 8, 2010 at 8:46 pm #378364
    Patrick Fergus
    Participant

    Apple posted this KBase article today:

    Mac OS X v10.6: Generating a Kerberos Ticket Granting Ticket (TGT) during an Active Directory user’s initial login
    http://support.apple.com/kb/HT4100

    The following script should perform the steps outlined in the article. If you want to roll it into an InstaDMG payload-free CustomPKG set the variable “etcAuthorizationPath” to “$3/etc/authorization”[code]#!/bin/bash

    plistBuddyPath=/usr/libexec/PlistBuddy
    prefPath=:rights:system.login.console:mechanisms:
    etcAuthorizationPath=/etc/authorization

    freeArrayIndex=`$plistBuddyPath -c “Print $prefPath” $etcAuthorizationPath \
    | grep “:” | wc -l | tr -d ‘ ‘`
    $plistBuddyPath -c “add $prefPath string” $etcAuthorizationPath
    $plistBuddyPath -c “set $prefPath$freeArrayIndex builtin:krb5store,privileged” \
    $etcAuthorizationPath[/code]- Patrick

    April 23, 2010 at 10:23 am #378427
    alantrewartha
    Participant

    I’m a bit confused. Is this KB tip (which seems to be the same tip recycled from 10.3 days??) necessary? I am a bit dim on the subject of kerberos tickets, but when I log in to my 10.6 (.2 at the moment) machine (which is bound to AD), I see a ticket in the ticket viewer, and I’m pretty sure I AM using kerberos authentication to get on to one of our network volumes. specifically I can use this:

    mount_afp “afp://;AUTH=Client%20Krb%20v2@thevault/Pickup” /Volumes/Pickup

    to get there.

    Part of my confusion is that the ticket viewer in 10.6 doesn’t show you ticket details like on 10.5, so i can’t see the details. but everything is already acting as if I have a TGT, and my etc/authorization file is untouched.

    April 26, 2010 at 3:43 pm #378446
    thomasb
    Participant

    @alantrewartha Note the “initial login” part of this KB tip. The first (initial) login of an AD user account on a freshly installed Mac does not get its kerberos ticket. That is what modifying the “/etc/authorization” file fixes. Subsequent logins of the same account on the same Mac will give you a kerberos ticket, even without modifying “/etc/authorization”, but it really should work at the initial login 🙂

    April 28, 2010 at 2:30 pm #378463
    alantrewartha
    Participant

    oh REALLY!? that’s oddball. i’ll look out for that on a freshly imaged 10.6…

  • Author
    Posts
Viewing 4 posts - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.

Comments are closed

Copyright © 2025 AFP548. All Rights Reserved.