Kerberos and OSx

[_Lunchbox_]

hi all

I have some general inquiries regarding kerberos and OS X. What I am trying to figure out is if the behavior I am seeing is by design or typical. Or if something is broken. This is my first time using OS X and studying it’s integration into other systems like Active Directory so unfortunately I can’t draw on any personal experience

We’re experimenting with integration of OSx into our almost purely Microsoft environment. We’re seeing a few caveats to how authentication works against Active Directory and, more specifically, Kerberos.
First, when you boot up OSx and the networking stack is not completely initialized, it won’t you log in with network credentials if you’re never logged in before. That’s to be expected as it can’t contact any directory servers. Once things initialize and the red\yellow dot in the username field goes away, you can log in and you’ll get a TGT from a kerberos KDC. All is well and you can authenticate to other network resources using kerberos.

However, say you reboot again and log in before the networking stack is up or you’re just disconnected from any network. Let’s also assume you have a mobile account created for your managed (network) account. So, you are able to get logged in. Then you connect to the network (wireless, plug in, whatever).
In this scenario, we’re seeing that you can’t get to any kerberized resources because you never got a TGT. Moreover, you will never get a TGT unless you run kinit or logout and back in. Bummer. At that point you’re pretty much reliant on your keychain to supply credentials to network resources that you’ve accessed previously.

Couple this caveat with the fact (as far as I know) that on OSx you can’t connect to a wireless network [b]before [/b]a user logs in. So there’s a good chance that a lot of our laptop users will log in when they’re not connected to any network. Thus they won’t get a TGT and won’t get SSO via kerberos for a lot of resources.

Sure, if you have credentials on your keychain for certain resources you’ll get the appearance of SSO, but that’s sort of dumb as one of the purposes of using an auth scheme like kerberos is that you don’t need to keep another database full of credentials.

This is in contrast to Windows where, if a directory server is can’t be reached at log in, you are logged on with cached credentials. As soon as the network becomes available, you are authenticated and receive TGT’s and thus can log in to kerberized services. You don’t know the difference as a user. It’s transparent.

For those of you with experience with this, does my description of how this works make sense and is to be expected or or we missing something in our config? Or am I just plain doing it wrong? 🙂

[_Lunchbox_]

I just realized that I probably posted this in the wrong place. My apologies! Somehow I totally missed the AD forum.

[Author]

Posts