Kerberos for Macintosh Login Authentication, Help?

Henry B. Hotz hotz at
Mon Oct 21 20:55:00 EDT 2002

This is really frustrating.  With all the documentation on the web it 
seems like it should be working now.  It *almost* works.

I've installed a file on a just-upgraded OSX 10.2.1 
system that didn't have it before.

>[machotz:~] hotz% more /Library/Preferences/
>         default_realm = JPL.NASA.GOV
>         default = FILE:/KLog
>[v4 realms]
>         JPL.NASA.GOV = {
>                 kdc =
>                 kdc =
>                 kdc =
>                 admin_server =
>                 default_domain =
>                 string_to_key_type = afs_string_to_key
>         }
>[v4 domain_realm]

Also modified /etc/authorization as follows:

><!-- Do kerberos authentication as a side-effect of loggin in. 
>Local username/password will be used.
>  -->
>         <key>system.login.done</key>
>         <dict>
>                 <key>eval</key>
>                 <string>switch_to_user, krb5auth:login</string>
>         </dict>

Added group read access to ~/Library/Preferences/  (Do I really need 
to do this?)

>[machotz:~] hotz% ls -ld ~/Library/Preferences/
>drwxr-x---  94 hotz  staff  3196 Oct 21 17:17 /Users/hotz/Library/Preferences/

Now kinit/klist/kdestoy work fine.  The Kerberos GUI also works fine. 
I've restarted the computer and when I log back in klist shows no 
tickets.  I have not installed the Kerberos Extras, but I don't think 
I need them.  What else do I need to do to get the login 
authenticator to work?

Note that kpasswd does not work, and the /KLog file and console log 
remain bare of any indications of any problem.

>[machotz:~] hotz% klist
>Kerberos 4 ticket cache: 'Initial default ccache'
>Default Principal: hotz at JPL.NASA.GOV
>Issued             Expires            Service Principal
>10/21/02 16:24:59  10/22/02 17:51:20  krbtgt.JPL.NASA.GOV at JPL.NASA.GOV
>[machotz:~] hotz% kpasswd
>Kerberos Change Password:
>Please enter the old password for hotz at JPL.NASA.GOV:
>Kerberos Change Password Failed: Principal unknown
>Please enter the old password for hotz at JPL.NASA.GOV:

kerberos is a CNAME for eis-fil-afsdb08.  It's really running a 
kaserver (hence the v4 and afs key stuff).  I'm not trying to put my 
home directory in AFS space, just gain access to AFS automatically on 
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at, or hbhotz at

More information about the krbdev mailing list