[19494] in Kerberos
Kerberos & Mac OS X login authentication
daemon@ATHENA.MIT.EDU (kraig schmidt)
Mon Jun 30 13:29:43 2003
Date: Mon, 30 Jun 2003 13:28:25 -0400
Mime-Version: 1.0 (Apple Message framework v552)
Content-Type: text/plain; charset=US-ASCII; format=flowed
From: kraig schmidt <kraig.schmidt@alumni.duke.edu>
To: brian.ling@bbc.co.uk, kerberos@mit.edu, arosenbl@mac.com
Content-Transfer-Encoding: 7bit
Message-Id: <414FCD82-AB20-11D7-B005-0030658DCABA@alumni.duke.edu>
Errors-To: kerberos-bounces@mit.edu
Mr. Ling, et all,
My name is Kraig Schmidt, and I am a member of the Computer Technology
staff at the University of Virginia School of Architecture. In our
attempt to implement improved security measures for our network, we are
trying to Kerberize the login process for all of our public Mac OS X
clients. Mr. Ling, I saw your note from March on the kerberos mailing
list archive and I though perhaps you might have some advice for the
problem we have encountered...
We are using Mac OS 10.2.6, and a Windows 2000 Server for
ActiveDirectory and KDC services. We have successfully implemented
LDAPv3 against active directory to store our users and their associated
information which we use for logging in users (without kerberos).
We set up a KDC on our Windows2000 Server, created client
edu.mit.Kerberos files, and have successfully acquired tickets for
several users [in Active Directory] via the OS X GUI Kerberos Manager.
Modifying the /etc/authorization file on the client has been successful
both for acquiring a ticket for the user as a consequence of logon, and
verifying users against Active Directory [Options 1 and 2 as discussed
in Apple Knowledge Base article 107154.]
We then created a 'user' account in active directory for the client
computer [the host] and used Win2000's Ktpass utility to create a host
principal and keytab file, which was ftp'd into /etc on the client
machine.
c:\>ktpass -princ host/testg4.dns.com@DNS.COM -mapuser testg4 -pass
password -out krb5.keytab
The problem: When we modify the /etc/authorization file to require a
valid Kerberos account *prior* to logging on the user [Option 3 in
article 107154] we get a loginwindow 'shake' and no login (even though
all users and the host 'user' can acquire tickets via the GUI Kerberos
Manager).
There is nothing in the Win2000 KDC login/logout audit logs that
indicates what might be happening; in fact, each time I attempt to
login from a particular host as [let's say] user 'john', I see a
failure event (pre-authentication type 0) immediately followed by a
success event (pre-authentication type 2) for user 'john' but nothing
[failure or success] pertaining to the host from which john is
attempting to log on.
I cannot seem to determine how to activate client-side kerberos
logging. Adding the [logging] section to the edu.mit.Kerberos file as
shown below has not yielded any logging whatsoever.
[logging]
default = FILE:/var/krb5/kdc.log
KDC = FILE:/var/krb5/kdc.log
I admit to being utterly perplexed. The materials I've found in the
process of doing research are relatively straightforward. Each of the
steps was successful in precisely the ways the information indicated
until the last step of implementing a valid kerberos connection (for
the host) prior to a user's login.
Any information and/or insight into this process would be enormously
appreciated. Thanks for your time and assistance...
cheers, kraig schmidt.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
