Kerberos & Mac OS X login authentication

kraig schmidt at
Mon Jun 30 13:28:25 EDT 2003

Mr. Ling, et all,

My name is Kraig Schmidt, and I am a member of the Computer Technology 
staff at the University of Virginia School of Architecture.  In our 
attempt to implement improved security measures for our network, we are 
trying to Kerberize the login process for all of our public Mac OS X 
clients.  Mr. Ling, I saw your note from March on the kerberos mailing 
list archive and I though perhaps you might have some advice for the 
problem we have encountered...

We are using Mac OS 10.2.6, and a Windows 2000 Server for 
ActiveDirectory and KDC services.  We have successfully implemented 
LDAPv3 against active directory to store our users and their associated 
information which we use for logging in users (without kerberos).

We set up a KDC on our Windows2000 Server, created client files, and have successfully acquired tickets for 
several users [in Active Directory] via the OS X GUI Kerberos Manager. 
Modifying the /etc/authorization file on the client has been successful 
both for acquiring a ticket for the user as a consequence of logon, and 
verifying users against Active Directory  [Options 1 and 2 as discussed 
in Apple Knowledge Base article 107154.]

We then created a 'user' account in active directory for the client 
computer [the host] and used Win2000's Ktpass utility to create a host 
principal and keytab file, which was ftp'd into /etc on the client 

c:\>ktpass -princ host/ at DNS.COM -mapuser testg4 -pass 
password -out krb5.keytab

The problem: When we modify the /etc/authorization file to require a 
valid Kerberos account *prior* to logging on the user [Option 3 in 
article 107154] we get a loginwindow 'shake' and no login (even though 
all users and the host 'user' can acquire tickets via the GUI Kerberos 

There is nothing in the Win2000 KDC login/logout audit logs that 
indicates what might be happening;  in fact, each time I attempt to 
login from a particular host as [let's say] user 'john', I see a 
failure event (pre-authentication type 0) immediately followed by a 
success event (pre-authentication type 2) for user 'john' but nothing 
[failure or success] pertaining to the host from which john is 
attempting to log on.

I cannot seem to determine how to activate client-side kerberos 
logging.  Adding the [logging] section to the file as 
shown below has not yielded any logging whatsoever.

	default = FILE:/var/krb5/kdc.log
	KDC = FILE:/var/krb5/kdc.log

I admit to being utterly perplexed.  The materials I've found in the 
process of doing research are relatively straightforward.  Each of the 
steps was successful in precisely the ways the information indicated 
until the last step of implementing a valid kerberos connection (for 
the host) prior to a user's login.

Any information and/or  insight into this process would be enormously 
appreciated.  Thanks for your time and assistance...

cheers, kraig schmidt.

More information about the Kerberos mailing list