{"id":746,"date":"2011-10-18T09:28:07","date_gmt":"2011-10-18T09:28:07","guid":{"rendered":"http:\/\/blog.designed79.co.uk\/?p=746"},"modified":"2012-01-23T09:51:49","modified_gmt":"2012-01-23T09:51:49","slug":"10-7-not-getting-kerberos-ticket-at-login","status":"publish","type":"post","link":"https:\/\/blog.designed79.co.uk\/?p=746","title":{"rendered":"10.7 Not getting Kerberos Ticket at Login"},"content":{"rendered":"

Apple have moved away from MIT’s krb.<\/p>\n

Mac OS X Lion (10.7) uses a Pluggable Authentication Module (PAM) stack to try a variety of authentication mechanisms at login. It will actually try to get you Kerberos tickets without reconfiguring anything. However, this fails by default in the MIT environment because Lion tries to look up your Kerberos principal in OpenDirectory, which we do not use. You can work around this through a small reconfiguration of PAM:<\/p>\n

    \n
  1. Make a backup copy of the file\u00a0\/etc\/pam.d\/authorization<\/tt><\/li>\n
  2. Edit the file\u00a0\/etc\/pam.d\/authorization<\/tt>\u00a0as superuser\n
      \n
    • Find the line that begins with:\n
      \n
      \n
      auth       optional       pam_krb5.so use_first_pass use_kcminit<\/pre>\n<\/div>\n<\/div>\n
      The file is very short and this is usually the second line after the opening comment.<\/li>\n
    • Add the key word\u00a0default_principal<\/tt>\u00a0to the end of the line like so:\n
      \n
      \n
      auth       optional       pam_krb5.so use_first_pass use_kcminit default_principal<\/pre>\n<\/div>\n<\/div>\n<\/li>\n<\/ul>\n<\/li>\n
    • Save your changes to the file and reboot your Mac<\/li>\n<\/ol>\n
      If it is on the network when you log in, and all the prerequisites are met, it will now try to automatically get you Kerberos tickets when you log in using your Mac OS X username and password. You can check whether you have tickets by issuing the\u00a0klist<\/tt>\u00a0command in a Terminal window.<\/p>\n
      This also works with pass-through authentication if you have your disk encrypted using FileVault and only a single user account set up. In this scenarion you’ll be prompted for your password by FileVault at boot, and you will be automatically logged into your account after boot completes, along with new Kerberos tickets, as long as your machine is on the network.<\/p>\n","protected":false},"excerpt":{"rendered":"
      Apple have moved away from MIT’s krb. Mac OS X Lion (10.7) uses a Pluggable Authentication Module (PAM) stack to try a […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[8,9,7,10],"class_list":["post-746","post","type-post","status-publish","format-standard","hentry","category-info-on-tech","tag-10-7","tag-lion","tag-osx","tag-server"],"_links":{"self":[{"href":"https:\/\/blog.designed79.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/746","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.designed79.co.uk\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.designed79.co.uk\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.designed79.co.uk\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.designed79.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=746"}],"version-history":[{"count":0,"href":"https:\/\/blog.designed79.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/746\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.designed79.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=746"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.designed79.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=746"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.designed79.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=746"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}