[dkallan]

By the way, as an addendum to my earlier post, I was recently doing something else in my LDAP directory when I discovered that these types of multi-line edits can be done directly within the OS X Server Workgroup Manager–no need to use LDAP Studio or anything. What a time saver! I can’t believe I overlooked it for all this time!

Just make sure you have the Inspector enabled in Workgroup Manager and view the Config section. The Inspector is that little target-shaped tab to the right of Users, Groups and Machines. Inside the Config section you will see your KerberosKDC configuration. Select apple-kdc-configdata and hit the Edit… button. Obviously, to do this, you would need to be authenticated as an Open Directory administrator.

Note: You can also edit your apple-xmlplist within cn=Config,cn=KerberosClient if you would like to add something like ticket_lifetime and renew_lifetime to your libdefaults (note that these durations should be specified as 30s or 15m or 10h or 1d). This gets transformed and pushed to your OS X clients as the /Library/Preferences/edu.mit.kerberos file. Additionally, if you are curious about how to enable your screen saver to renew or request tickets when password protected, there is a great tip in the macosxhints forum about [url=http://forums.macosxhints.com/showthread.php?t=40129]how to modify your /etc/authorization file[/url] on your client machines.

Cheers,

Daron Kallan
New York, NY USA

[dkallan]

Hi guys,

Assuming that you are talking about OS X Server with Open Directory, /var/db/krb5kdc/kdc.conf is automatically generated, so any changes you make will be overwritten. You will need to make your permanent changes to the OpenLDAPv3 database in Open Directory, which you can find under cn=config,cn=KerberosKDC as the attribute (or key) “apple-kdc-configdata”. You will need to do this as the Open Directory administrator (for example, “uid=diradmin,cn=users,dc=[MYHOST],dc=[MYDOMAIN],dc=com”).

You can check the current file from the command line using dscl, as in:
[code] $ dscl -u diradmin /LDAPv3/127.0.0.1 -read /Config/KerberosKDC apple-kdc-configdata[/code]However, I would advise against using the command line to [u]change[/u] attributes containing binary data such as linefeeds. You could end up with one continuous line that is unreadable by the KDC daemon. Furthermore, the -url option does not seem to work for changing attributes with escape sequences. I recommend using a utility such as Apache’s LDAP Studio (http://directory.apache.org/ldapstudio/) to edit multi-line values (you may want to ensure in the hex viewer that the line separators are Unix linefeeds (0x0A) and not Mac carriage returns (0x0D).

Once your changes are complete, you may reboot. If you don’t want to reboot, you can make the same change evanescently to the kdc.conf file, then kick over the krb5kdc (or kdcmond) daemon to propagate the changes.

To test for your ticket lifetime, go to the command line for the user in question, and run kinit -l 2d (lifetime of two days).

If Kerberos still disallows you from requesting tickets with lifetimes greater than ten hours, there may be another step. On your server, go to kadmin as the Open Directory administrator principal (for example, kadmin -p diradmin). You can then modify the Ticket-Granting Ticket principal to allow for longer ticket/renew times (modprinc -maxlife 24hours -maxrenewlife 14days +allow_renewable krbtgt/[REALM]) and also for your own user principal (modprinc -maxlife 24hours -maxrenewlife 14days +allow_renewable [USERNAME]).

My two cents.

Daron

[Author]

Posts