[Macpartners] Using SAPgui on WIN domain bound Macs?
Teddy Thomas
tthoma24 at mit.edu
Thu Nov 19 22:02:37 EST 2015
[resending from my MIT email]
Hi Patrick-
I believe the changes you’ll want to your krb5 config are under [domain_realm]; just add win.mit.edu <http://win.mit.edu/> = WIN.MIT.EDU <http://win.mit.edu/> and .win.mit.edu <http://win.mit.edu/> = WIN.MIT.EDU <http://win.mit.edu/>. I put my edu.mit.Kerberos file in /mit/tthoma24/Public so you can see what I did (note I made other edits which you may not want).
I’m not a Kerberos expert, but I think the issue here is Kerberos cross realm doesn’t exist from the WIN realm to ATHENA realm, but DOES exist going the other way, meaning you can authenticate to WIN with an ATHENA ticket, but not the other way. Installing Kerberos extras and getting an Athena ticket was the first piece, but I don’t think the krb5 conf in Kerberos Extras for Mac defines the WIN realm, which is likely necessary to get the krbtgt/WIN.MIT.EDU at ATHENA.MIT.EDU <mailto:krbtgt/WIN.MIT.EDU at athena.mit.edu> so you can authenticate to WIN services with an ATHENA ticket.
Hope this helps. Good luck.
-Teddy
> On Nov 19, 2015, at 2:38 PM, Patrick McNeal <mcneal at mit.edu> wrote:
>
> Has anyone been able to get the latest SAPgui <https://ist.mit.edu/sapr3/sapgui/740/mac> to work on a Mac OS X 10.11 machine that is bound to the WIN domain? We're using the WIN domain for authentication and authorization, but it appears the SAPgui doesn't work with kerberos tickets from the WIN.MIT.EDU <http://win.mit.edu/> realm.
>
> Installing Kerberos Extras for Mac <http://ist.mit.edu/kerberos/extras/mac> works if I destroy my WIN.MIT.EDU <http://win.mit.edu/> tickets and then obtain a TGT for the ATHENA.MIT.EDU <http://athena.mit.edu/> realm, but then I'm unable to access DFS or other WIN.MIT.EDU <http://win.mit.edu/> resources.
>
> For what it's worth, here is my /Library/Preferences/edu.mit.Kerberos:
>
> [libdefaults]
> default_realm = ATHENA.MIT.EDU <http://athena.mit.edu/>
> forwardable = TRUE
> proxiable = TRUE
> noaddresses = TRUE
> allow_weak_crypto = TRUE
>
> [realms]
> ATHENA.MIT.EDU <http://athena.mit.edu/> = {
> kdc = kerberos.mit.edu.:88
> kdc = kerberos-1.mit.edu.:88
> kdc = kerberos-2.mit.edu.:88
> admin_server = kerberos.mit.edu <http://kerberos.mit.edu/>.
> default_domain = mit.edu <http://mit.edu/>
> }
>
> [domain_realm]
> .mit.edu <http://mit.edu/> = ATHENA.MIT.EDU <http://athena.mit.edu/>
> mit.edu <http://mit.edu/> = ATHENA.MIT.EDU <http://athena.mit.edu/>
>
> [v4 realms]
> ATHENA.MIT.EDU <http://athena.mit.edu/> = {
> kdc = kerberos.mit.edu <http://kerberos.mit.edu/>.
> kdc = kerberos-1.mit.edu <http://kerberos-1.mit.edu/>.
> kdc = kerberos-2.mit.edu <http://kerberos-2.mit.edu/>.
> admin_server = kerberos.mit.edu <http://kerberos.mit.edu/>.
> default_domain = mit.edu <http://mit.edu/>
> string_to_key_type = mit_string_to_key
> }
>
> [v4 domain_realm]
> .mit.edu <http://mit.edu/> = ATHENA.MIT.EDU <http://athena.mit.edu/>
> mit.edu <http://mit.edu/> = ATHENA.MIT.EDU <http://athena.mit.edu/>
>
> Thanks,
>
> —Patrick
>
>
> IT Manager | J-PAL <http://povertyactionlab.org/> | MIT <http://mit.edu/> <> | +1 617-324-2721 | mcneal at mit.edu <mailto:mcneal at mit.edu>
> _______________________________________________
> Macpartners mailing list
> Macpartners at mit.edu
> http://mailman.mit.edu/mailman/listinfo/macpartners
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/macpartners/attachments/20151119/16f348de/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1850 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/macpartners/attachments/20151119/16f348de/attachment.bin
More information about the Macpartners
mailing list