Go to the Penn State Home page

Go to the CLC Home page

Go to the ITS Home page
This site uses .Net links. Please use Text Only version for screen readers.  Text Only Printable Version    Secure Server Search CLC:   
   
  CLC Home
  News
  Labs
  Introduction
  Locations
  Current Usage
  Help
  Windows
  Macintosh
  Hardware
  Software
  Help
  Resources
  Linux
  Software Installs
  Classrooms
  Assistive Technology
  Printing
  Disk Space
  Authentication
  University Services
  Contacts
  About Us
  Search

Configuring Mac OS X Kerberos Authentication

This document details the steps required to activate Mac OS X Kerberos authentication. It does not describe why you would want to do so, or how to test that you've performed this configuration properly. For that, you should read the document Authenticating and Authorizing Mac OS X Users.

This method to activate Kerberos authentication will only work under Tiger (Mac OS X 10.4.x) and Leopard (Mac OS X 10.5.x).

Activating Mac OS X Kerberos Authentication

  1. Time sync your Mac. For Kerberos to work, your client computer and the Kerberos server must be time synchronized. Using the 'Date & Time' system preference, make sure you have set the proper time zone (Time Zone tab), and set the computer to use an NTP time server: clock.psu.edu (Network Time tab).

  2. Add an 'edu.mit.Kerberos' preferences file to the /Library/Preferences folder. This is the /Library/Preferences folder at the root of the startup disk, not the user's preferences file in any of the /Users directories. You can download the edu.mit.Kerberos file the contents of which are shown here: 
      			[domain_realm]
				.psu.edu = dce.psu.edu
				psu.edu = dce.psu.edu
			
			[libdefaults]
				default_realm = dce.psu.edu
				dns_lookup_kdc = true
				forwardable = true
				noaddresses = true
  3. Modify the /private/etc/authorization file to allow Kerberos authentication. Log in as the admin user and launch the /Applications/Utilities/Terminal application. Then, type the following commands:
    1. cd /private/etc <enter>
      To change the current directory to '/private/etc'
    2. sudo cp -p authorization authorization_orig <enter>
      To make a backup copy of the file we are about to edit
    3. sudo pico -w authorization <enter>
      To edit the /private/etc/authorization file
    4. <control-W>
      To start a search
    5. system.login.console <enter>
      To search for the next occurence of 'system.login.console'.
      Note: the string will be found between <key> tags.
    6. In the <dict> entry below this key, look for <key>mechanisms</key>. In the array that follows that key, change the following <string>:

        For Tiger (Mac OS X 10.4.x), change:
        From: <string>authinternal</string>
            To: <string>builtin:krb5authnoverify,privileged</string>

        For Leopard (Mac OS X 10.5.x), change:
        From: <string>builtin:authenticate,privileged</string>
            To: <string>builtin:krb5authnoverify,privileged</string>

      There may be multiple occurrences of 'authinternal' or 'authenticate' in the /etc/authorization file. Make sure you change the correct one.
    7. <control-X>
      To save the file
    8. <enter>
      To save the file as the same name
    9. <command-Q>
      To quit the terminal application
  4. Restart the Mac to activate Kerberos authentication.
That's all there is to it. However, as stated above, please refer to the document Authenticating and Authorizing Mac OS X Users to see how you might take advantage of Kerberos authentication under Mac OS X.
© 2009, The Pennsylvania State University. All rights reserved.
This site maintained by the Classroom and Lab Computing group of Information Technology Services.
Suggestions and comments about this web site: CLC Webmasters; Other contacts here.

This page was last modified: 7/23/2008 7:28:38 PM.