Mac OS X: Enabling Kerberos authentication for Login Window

Do you need to learn how to set up Mac OS X and Mac OS X Server for Kerberos Authentication when logging in?
Instead of following the instructions on page 200 of the "Mac OS X Server Administrator's Guide," follow these steps on each Mac OS X client computer where you want to use Kerberos authentication. This document applies to Mac OS X (client) 10.2.1 or later and Mac OS X Server versions 10.2.1 to 10.2.8. The configuration sets outlined in this document are not required with Mac OS X Server 10.3, because the configuration is completely automated when using Open Directory.

Setting up to use a Kerberos server

This document assumes that you have already have created and deployed the appropriate files:


For instructions on how to enable Kerberos Authentication for the Mac OS X 10.2 and Mac OS X Server 10.2, see Information for Using Kerberos.

Post-Login Kerberos Authentication

To configure the Kerberos login plug-in to obtain a Kerberos credential as a consequence of logging in, change the following lines in /etc/authorization:

Change:

        <key>system.login.done</key>
        <dict>
                <key>eval</key>
                <string>switch_to_user</string>
        </dict>
<!-- krb5auth:login can be used to do kerberos authentication as a
     side-effect of logging in.  Local username/password will be used.
  -->


to:
<!-- Do kerberos authentication as a side-effect of logging in.  Local username/password will be used.
  -->
        <key>system.login.done</key>
        <dict>
                <key>eval</key>
                <string>switch_to_user,krb5auth:login</string>
        </dict>

Notes

  1. You are logging into a local user account before attempting to obtain a Kerberos ticket for a matching name and password. Because of this matching requirement, the account name and password must exactly match those stored on the Kerberos server.
  2. The krb5auth:login step added to system.login.done is still available for 10.3. If you just want to try to get a kerberos ticket when logging in but not have it used to authenticate you, you can add it to system.login.done: 

    <key>system.login.done</key>
<dict>
        <key>class</key>
        <string>evaluate-mechanisms</string>
        <key>comment</key>
        <string>krb5auth:login can be used to do kerberos authentication as a side-effect of logging in.  Local username/password will be used.</string>
        <key>mechanisms</key>

         <array>
                  <string>switch_to_user</string>
                 <string>builtin:krb5login</string>
         </array>
</dict>


Kerberos Authentication Required for Login

I. Simpler Configuration

To configure the Kerberos login plug-in to require that a user have a valid Kerberos account prior to logging in, change the following lines in /etc/authorization :

Change:
<!-- Login mechanism based rule.  Not for general use, yet. -->
        <key>system.login.console</key>
        <dict>
            
                <key>eval</key>
                <string>loginwindow_builtin:login,authinternal,loginwindow_builtin:success</string>
<!-- krb5auth:authenticate can be used to hinge local authentication on a successful kerberos authentication. -->
        </dict>


To:
<!-- Local authentication requires a successful kerberos authentication. -->
        <key>system.login.console</key>
        <dict>
                <key>eval</key>
                <string>loginwindow_builtin:login,krb5auth:authnoverify,loginwindow_builtin:success</string>
        </dict>


Notes

  1. This configuration does not require an /etc/krb5.keytab file, but it is less secure than the following implementation.
  2. The format of the authorization file has changed for 10.3.


system.login.console looks like this:
<key>system.login.console</key>
<dict>
        <key>class</key>
        <string>evaluate-mechanisms</string>
        <key>comment</key>
        <string>Login mechanism based rule.  Not for general use, yet. krb5auth:authenticate can be used to hinge local authentication on a successful kerberos authentication.</string>
        <key>mechanisms</key>
        <array>
                <string>loginwindow_builtin:login</string>
                <string>authinternal</string>                       
                <string>loginwindow_builtin:success</string>
                <string>builtin:getuserinfo</string>

                <string>builtin:krb5auth</string>
        </array>
</dict>

In the passage above, "<string>authinternal</string>" is the default. It may be replaced with either of these two strings:


<string>builtin:krb5authenticate</string> do kerberos authentication, and verify the KDC
<string>builtin:krb5authnoverify</string> (For Mac OS X 10.3) do kerberos authentication and skip verifying the KDC
<string>builtin:krb5authnoverify,privileged</string> (For Mac OS X 10.4 ) do kerberos authentication and skip verifying the KDC


Nothing else is required for 10.3 and later. The system.login.done step is not required in these cases.


II. More Secure Configuration

This configures the Kerberos login plug-in to require that a user have a valid Kerberos account prior to logging in.

  1. Change the following lines in /etc/authorization : 

    <!-- Login mechanism based rule.  Not for general use, yet.
  -->
        <key>system.login.console</key>
        <dict>
            
                <key>eval</key>
                <string>loginwindow_builtin:login,authinternal,loginwindow_builtin:success</string>
<!-- krb5auth:authenticate can be used to hinge local authentication
     on a successful kerberos authentication.
  -->
        </dict>

    To: 

    <!-- Local authentication requires a successful kerberos authentication. 
  -->
        <key>system.login.console</key>
        <dict>
                <key>eval</key>
                <string>loginwindow_builtin:login,krb5auth:authenticate,loginwindow_builtin:success</string>
        </dict>

  2. Create a host principal on the KDC, if you have not already done so. The string "host/mymachine.example.com" is an example of a host principal.
  3. Copy a keytab file from the KDC to /etc/krb5.keytab on the client computer, if you have not already done so.


Important: Information about products not manufactured by Apple is provided for information purposes only, and does not constitute Apple's recommendation or endorsement. Please contact the vendor for additional information.
Published Date: Oct 11, 2016