top of page
Search
camtulasboona

Kerberos For Mac: How to Seamlessly Authenticate to Websites, Apps, and File Servers



First, while Kerberos is included with the base Mac OS X distribution, it is recommended that administrators install the MIT Kerberos Extras for Mac OS to add some of the functionality that was omitted from the Apple distribution ( -kerberos-extras.html). These Extras add support for Carbon-based applications that use the CFM Kerberos libraries, as well as placing an alias to the Kerberos graphical ticket utility included with Mac OS X into a more suitable location (namely, /Applications/Utilities).


The location of the configuration file is different than the traditional MIT file location. Instead of /etc/krb5.conf, the Kerberos configuration file is located in /Library/Preferences/edu.mit.kerberos, which follows more closely the naming conventions in Mac OS X. Unfortunately, there is currently no graphical utility included with Mac OS X to create or edit this file. Nonetheless, the contents of the file ...




Kerberos For Mac




It is useful to create a kerberos config file. The Mac Self-Service has an action item called "kerberos config file new" in the category 'Configuration'. Once the config file is created (in /etc/krb5.conf), you can run kinit yourCernAccountNameto create a kerberos token that you can use for your browser, for ssh, the Self-Service login and many other services.


Some popular package managers like brew, macports etc provide own versions on kinit, ssh,... Unfortunately these use different places to store the kerberos token and as a result are incompatible with the executables provided by macOS. We recommend not using any third party kerberos or ssh binaries.


Solution: Some versions of ssh will not attempt to perform kerberos authentication. In this case, you will receive a permission denied error. To enable kerberos authentication, try the following -o switch:


The quotation marks are required. If this form of SSH succeeds, you can configure your local system to always attempt to use kerberos authentication by editing either $HOME/.ssh/config or /etc/ssh/ssh_config and adding these lines:


is your Mac having issues reaching the Kerberos server through the firewall, or are you authenticationg to the firewall with your mac and is the firewall set to use kerberos to authenticate the session (captive portal, global protect , ....)


as @BPry mentions the steps to configure Kerberos on the Mac itself are very strict, but on the firewall you should simply allow the necessary applications to allow kerberos through, you should see these in the traffic log (kerberos and possibly some rpc/netbios)


Searching for eRR-RESPONSE-TOO-BIG (52) brought up this link that was talking about UDP packet size per OS -US/4ce35807-f002-4dde-8e94-90b63642a02e/krb5kdcerrpreauthrequired-and-krb5krberrresponsetoobig?forum=winserverDS and -US/acf9484d-b059-4230-b428-533cc148e5ae/kerberos-error-52-response-too-big-on-macos?forum=winserversecurity. Someone on the second post was talking about the shutting down the 2012 R2 DC, so I went about my other task or adding my second domain controller to the Domain, this one running Server 2019 Core.


By default, HTTPKerberosAuth will require mutual authentication from theserver, and if a server emits a non-error response which cannot beauthenticated, a requests_kerberos.errors.MutualAuthenticationError willbe raised. If a server emits an error which cannot be authenticated, it willbe returned to the user but with its contents and headers stripped. If theresponse content is more important than the need for mutual auth on errors,(eg, for certain WinRM calls) the stripping behavior can be suppressed bysetting sanitize_mutual_error_response=False:


This will cause requests_kerberos to attempt mutual authentication if theserver advertises that it supports it, and cause a failure if authenticationfails, but not if the server does not support it at all.


If you are having difficulty we suggest you configure logging. Issues with theunderlying kerberos libraries will be made apparent. Additionally, copious debuginformation is made available which may assist in troubleshooting if youincrease your log level all the way up to debug.


Now that you have your framework, I suggest checking out some really great shell scripts and daemons that make this even cleaner on my GitHub. For example one of these will automatically kill all kerberos tickets on reboot.


10.3 uses a variant of MIT's kerberos, so what we're going to do is install some bits from MIT, configure kerberos for our domain, then install a plug in to get afs token, and finally set up login authorization to generate tickets from the main GUI login window, to check against kerberos for permission to alter system preferences, and to check against kerberos from the screen saver. In all of these cases, authentication is supposed to fall back to local authentication if kerberos fails, so this should be safe for laptops. It's working ok for me on mine, but I suggest you try one feature at a time.


Once it's installed, go to /Library/Preferences and find the edu.mit.Kerberos file. As root, or using sudo, make a backup, then open this file with a text editor (eg. vi, pico, BBEdit). For default realm, use your main kerberos realm. If you're in a Kerberos4 realm, add the data in the "v4" sections. For more detailed information, see the MIT Kerberos for OS X preferences and faq pages.


In this first example below, I've put the information for the kerberos authentication servers for the two afs cells I use, isis.unc.edu and cs.unc.edu. These files are slightly different than the ones for 10.2.


So far so good--now you should be able to use applications that know how to use kerberos. At UNC, that doesn't mean much, since we don't use kerberos all that much and most applications aren't kerberized. But this does lay the groundwork for the next step, which is automatically getting AFS tokens for access to your online file space.


The kfm_aklog plugin gets calls from Kerberos each time a user gets or renews a ticket, and obtains an afs token for that user. So now if we can tie kerberos authentication to the existing mac authentication processes, users can renew tokens to afs space without having to manually run klog.


To enable kerberos login as part of the main login process, find the system.login.console key in /etc/authorization. Within that key, there's a mechanism key. Replace authinternal with builtin:krb5authnoverify just below the loginwindow_builtin:login string.


To enable kerberos authentication as part of editing system preferences, find the system.preferences key in /etc/authorization. Within that key, find the mechanism key and add builtin:krb5authnoverify just below the builtin:authenticate string:


To enable kerberos login via the screen saver, find the authenticate-session-owner-or-admin key. Look for the (you guessed it) mechanism key, and add builtin:krb5authnoverify below the builtin:authenticate string:


To test this one, use the kerberos utility to destroy your tickets and tokens, then activate the screen saver (using a hot corner). If it works correctly, when you come back in, you should have a fresh set of tickets andtokens. If it doesn't work, and you can't get back in, you may have to do a hard reboot.


What this procedure does (assuming I'm understanding all of it correctly) is set up the GUI's login window to try to get a Kerberos ticket when you login by passing the same userid and password to the kerberos server. When this is successful, you are given kerberos tickets to the default realm. If you've added the login_logout_notification = "aklog" line to the edu.mit.kerberos file, Alexei's kfm_aklog plugin will be called when you get that Kerberos ticket, and will get you an AFS token. 2ff7e9595c


0 views0 comments

Recent Posts

See All

Download do Primo

Baixar Primo: o melhor aplicativo de comunicação Você quer manter contato com seus amigos, familiares e colegas em todo o mundo? Você...

Comments


bottom of page