- Jamf Nation Community
- Products
- Jamf Pro
- create a Kerberos .plist files
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
create a Kerberos .plist files
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-17-2018 08:47 PM
Hi,
Does anyone know how to create a plist file for Kerberos?
I currently have a krb5.conf that I need to be converted and then pushed out as a config profile.
Hope someone can help
Labels:
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-17-2018 09:00 PM
I may be wrong, but I'm pretty sure you can only deploy config profiles for configs stored in /Library and ~/Library - the Kerberos file is stored in /etc
You would need to deploy the krb5.conf file via script and a policy (possibly a recurring policy via the login trigger to make sure that it sticks)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-17-2018 10:46 PM
ok then
how can I create such a script?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-18-2018 09:00 AM
Probably the easiest way is to create the file on one machine. Then open composer, drag the file into the composer windows on the left side and then create a DMG package. You then deploy it like any other package.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-18-2018 12:48 PM
Are you sure that just this /etc/krb5.conf file is enough? (if yes: see post above to capture file with composer) Long time ago I did some ldap /kerberos integrations with binding, and those required a bunch of settings (user/service/authenticator/..) to be right, usually done by the binding process. (see
man dsconfigad, man dsconfigldap )
What is your goal? If AD authentication and users getting AD kerberos tickets is your goal, check out nomad.menu, a free tool designed to sync local accounts and AD account, but also manage kerberos tickets (I think also non-AD KDC should work)
Maybe you can use just that part? Nomad is well documented, and settings can be managed with MDM profiles
https://nomad.menu/help-center/deploying-nomad/
http://cannonball.tombridge.com/2016/10/07/deploying-nomad-with-configuration-profiles/
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-20-2018 06:14 PM
Hi All,
I currently use NoMAD as well. Brilliant product I would add.
The issue I have is the Firewall appliance that has been installed at my school is not SSL enabled.
My previous firewall never had this issue but the new one which I have no control over because it is centrally managed.
The issue as it stands is that the Captive Portal from the appliance doesn't prompt users for credentials on a wired connection visiting SSL websites (https). This stops MDM working etc.
The only solution being offered is to install a krb5.conf file in /Library/Preferences.
I would like to push out a config profile on device enrollment so things start to work straight away.
It appears that the NoMAD settings I have in have no effect over the way a browser interacts with the proxy/firewall.
Everything starts to work once that krb5.conf file is in play.
I do currently push it out via a .pkg I did create in Composer but I felt that a proper custom .plist via a configuration profile would be a more elegant solution.
