Kerberos for Macintosh Login Authentication, Help?

Scott McGuire smcguire at MIT.EDU
Mon Oct 21 21:35:15 EDT 2002

At 5:54 PM -0700 10/21/02, Henry B. Hotz wrote:
>Also modified /etc/authorization as follows:
>><!-- Do kerberos authentication as a side-effect of loggin in. 
>>Local username/password will be used.
>>  -->
>>         <key>system.login.done</key>
>>         <dict>
>>                 <key>eval</key>
>>                 <string>switch_to_user, krb5auth:login</string>
>>         </dict>
>Now kinit/klist/kdestoy work fine.  The Kerberos GUI also works 
>fine. I've restarted the computer and when I log back in klist shows 
>no tickets.  I have not installed the Kerberos Extras, but I don't 
>think I need them.  What else do I need to do to get the login 
>authenticator to work?

I can help with this part of your questions.  The originally 
published Apple documentation for the authenticator had a typo in it. 
You need to eliminate the space between "switch_to_user" and 
"krb5auth:login", that is, the line should read:


You should re-read and check your changes against the current version 
of the "Mac OS X 10.2: How to Enable Kerberos Authentication for 
Login Window" document, which has had a few problems corrected since 
it was first released:


but removing the space should allow getting Kerberos tickets as a 
side effect of logging in.

Scott McGuire / smcguire at
MIT Information Systems Macintosh Developer

More information about the krbdev mailing list