Using Kerberos with OSXS services

[Anonymous]

I am trying to set up my xserve (10.3.3) to use our corporate Kerberos server. I can get accounts to authenticate fine from a console login, but services such as ssh, Samba and AFP do not use the Kerb authentication.

I have set up a local account for each user and the Kerb password works for login, but the local password that I assigned also works (I tried to use an asterisk as mentioned elsewhere to disable local account logins but that ended up just being the local password ).

So I actually have two problems: one is getting the services to use Kerb authentication and the other is disabling the password for the local account.

Anyone know how I can get this working?

[Anonymous]

Our kerberos database is a Unix KerberosV system and all my accounts are stored in a local ldap server on the xserve. I have registered the xserve as a host principal and had received a keytab file that works fine for console logins. But when I created the ldap server, it built a new keytab file, which broke my logins. So I replaced the keytab with one from backup to get the logins working again, but I can’t see any way to add the services to it. I tried the sso_util command, but it just gave a bunch of errors, although it did make edits to the Mail and AFP plists, but the keytab was unchanged.

There must be a way to make this work with an existing kerberos database…I just don’t get it.

[Anonymous]

Yes, I fixed the edu.mit.Kerberos file and I’m back to being able to do logins at the console thru kerberos. The keytab file had been created on another unix box, as I just don’t see how to create one using sso_util (or anything else for that matter) that connects to a KDC on a different system. I’m thinking that, after inspecting the keytab created when I built the new open dir master, that my problem is that my services aren’t registered in it.

Do you know how to create that keytab? For the host principal, the KDC admin gave me the password, kvno and encryption type for that host principal. I then used the ktutil command on an OpenBSD box to create the keytab. This command is totally different that the ktutil on OSX.

[Anonymous]

OK, I’m getting closer – I’ve got SSH to work now. I still don’t have the keytab set up and the official “Apple” services are still dead, but at least this is progress. To get SSH working with a corporate KDC, you need to use PAM:

– edit edu.mit.Kerberos to point at the correct KDC
– compile and install a PAM Kerberos module…the one I used is at http://www.math.gatech.edu/~villegas/pam_krb5/
– configure SSH PAM authentication in /etc/pam.d/ssh by adding the line:
auth sufficient pam_krb5.so
– configure SSH in /etc/sshd_config by removing the comments from the 3 Kerberos entries and changing “no” to “yes”

This will allow SSH connections, although for some reason my home directories are not being picked up in the shell’s environment, so you get an error at login when it tries to cd to the home directory. There is a note in the docs about SSH home dirs with LDAP not working – anyone have ideas on how to work around this?

I am still trying to solve the service principal/keytab issues for AFP and other Apple services, but next up is getting Samba to work. This should be fairly simple as Samba can be compiled to support Kerb and PAM, although I may have to go back to v2 as there are many problems with v3. Again, if anyone has experience with this, I’d love to hear about it.

[Author]

Posts