create a Kerberos .plist files

retroroscoe
Contributor

Hi,

Does anyone know how to create a plist file for Kerberos?

I currently have a krb5.conf that I need to be converted and then pushed out as a config profile.

Hope someone can help

5 REPLIES 5

Aaron
Contributor II

I may be wrong, but I'm pretty sure you can only deploy config profiles for configs stored in /Library and ~/Library - the Kerberos file is stored in /etc

You would need to deploy the krb5.conf file via script and a policy (possibly a recurring policy via the login trigger to make sure that it sticks)

retroroscoe
Contributor

ok then

how can I create such a script?

maxbehr
Contributor II

Probably the easiest way is to create the file on one machine. Then open composer, drag the file into the composer windows on the left side and then create a DMG package. You then deploy it like any other package.

maurits
Contributor

Are you sure that just this /etc/krb5.conf file is enough? (if yes: see post above to capture file with composer) Long time ago I did some ldap /kerberos integrations with binding, and those required a bunch of settings (user/service/authenticator/..) to be right, usually done by the binding process. (see man dsconfigad, man dsconfigldap )

What is your goal? If AD authentication and users getting AD kerberos tickets is your goal, check out nomad.menu, a free tool designed to sync local accounts and AD account, but also manage kerberos tickets (I think also non-AD KDC should work)
Maybe you can use just that part? Nomad is well documented, and settings can be managed with MDM profiles

https://nomad.menu/help-center/deploying-nomad/
http://cannonball.tombridge.com/2016/10/07/deploying-nomad-with-configuration-profiles/

retroroscoe
Contributor

Hi All,

I currently use NoMAD as well. Brilliant product I would add.
The issue I have is the Firewall appliance that has been installed at my school is not SSL enabled.
My previous firewall never had this issue but the new one which I have no control over because it is centrally managed.

The issue as it stands is that the Captive Portal from the appliance doesn't prompt users for credentials on a wired connection visiting SSL websites (https). This stops MDM working etc.
The only solution being offered is to install a krb5.conf file in /Library/Preferences.
I would like to push out a config profile on device enrollment so things start to work straight away.

It appears that the NoMAD settings I have in have no effect over the way a browser interacts with the proxy/firewall.
Everything starts to work once that krb5.conf file is in play.
I do currently push it out via a .pkg I did create in Composer but I felt that a proper custom .plist via a configuration profile would be a more elegant solution.