10.7 Not getting Kerberos Ticket at Login

Apple have moved away from MIT’s krb.

Mac OS X Lion (10.7) uses a Pluggable Authentication Module (PAM) stack to try a variety of authentication mechanisms at login. It will actually try to get you Kerberos tickets without reconfiguring anything. However, this fails by default in the MIT environment because Lion tries to look up your Kerberos principal in OpenDirectory, which we do not use. You can work around this through a small reconfiguration of PAM:

  1. Make a backup copy of the file /etc/pam.d/authorization
  2. Edit the file /etc/pam.d/authorization as superuser
    • Find the line that begins with:
      auth       optional       pam_krb5.so use_first_pass use_kcminit

      The file is very short and this is usually the second line after the opening comment.

    • Add the key word default_principal to the end of the line like so:
      auth       optional       pam_krb5.so use_first_pass use_kcminit default_principal
  3. Save your changes to the file and reboot your Mac

If it is on the network when you log in, and all the prerequisites are met, it will now try to automatically get you Kerberos tickets when you log in using your Mac OS X username and password. You can check whether you have tickets by issuing the klist command in a Terminal window.

This also works with pass-through authentication if you have your disk encrypted using FileVault and only a single user account set up. In this scenarion you’ll be prompted for your password by FileVault at boot, and you will be automatically logged into your account after boot completes, along with new Kerberos tickets, as long as your machine is on the network.