Jamf Nation Community

i do not have a /etc/krb5.conf on my 10.8.2 box

i use ADmitMac

Need the mechanism to work even if apple start messing with stuff the script will always run as a policy at startup to make sure Kerberos works properly.

I may have some help on this one...an unlikely source. Basically we are getting nailed by this...the Penn State labs group seems to have two perl commands that resolve the 10.8 side of this:

/usr/bin/perl -pi -e 's/auth       optional       pam_krb5.so use_first_pass use_kcminit/auth     optional         pam_krb5.so use_first_pass default_principal/g' authorization

and

/usr/bin/perl -pi -e 's/auth       optional       pam_krb5.so use_first_pass use_kcminit/auth     optional         pam_krb5.so use_first_pass default_principal/g' screensaver

check out there page here...my thought is you can add these commands to your imaging workflow somehow.

http://clc.its.psu.edu/UnivServices/itadmins/mac/kerbldaplogins/macosxkerbauthsetup

As for your attempt a big script, please let me know...I don't know Perl myself so if someone turned the 10.6 side of this into perl commands that would be wonderful and would be what you need for your big script.

weird. i've made no changes to pam.d/authorization on my 10.7 or 10.8 machines, and we're getting a TGT at login. apple AD plugin, AD KDC.

I'm getting this when I perform a klist:

Credentials cache: API:902508221:49 Principal: jxxx@XXX.XXXX..XXXX.COM

Issued Expires Principal
Jan 17 14:08:45 2013 Jan 18 00:08:43 2013 krbtgt/XXX.XXXX.XXXXX.COM@XXX.XXXX.XXXXXX.COM

I haven't made any modifications to pam.d/authorization either? Am I missing something?

My problem had been not a Tgt or getting a Kerberos ticket.

My problem has been getting Single Sign on working with a third party encryption system so that the user isn't inconvenienced by logging in twice, once at poa and then the login window.

Heidal Kerberos is great.... Thanks Apple

When signing in with a cached account and not connected to the network, it will give you a temporary ticket but its expired, then after you connected to your corporate wifi network successfully in a couple of minutes you will get a valid Kerberos ticket.

I saw this by setting the Ticket Viewer to open at login and just watched it.

The script by blacholemac sorted out my single sign on.....sort of.

Problem it now when I click a pad lock in....say system preferences and authenticate as the local admin account, it creates a Kerberos ticket for the local admin account and makes it the primary identity ( viewable on Ticket Viewer app) and then the user can get put to the web through proxy servers!

All this pain for single sing on hmmm.....

tkimpton, are you using Lion? If so that is the placeholder ticket created by Hiemdal Kerberos. I had that issue for quite awhile. It caused our Wi-Fi to not connect among other things. I used ADPassMon to allow users and techs to request new tickets. In Mountain Lion we get exactly the opposite with Ticket Viewer showing no tickets. You have to do a klist to see them. I use a Login Window profile that requests a ticket at sign in. We get glitches now and then, but most things like kerberized printing work.

tkimpton, sorry you are running into issues with your local admin account. I can't seem to reproduce your error here. Correct me if I'm wrong as to you workflow. FYI, we have AD as our directory source and have our clients bound to AD.

Step 1, run the perl commands to add the info to my /etc/pam.d/authorization and /etc/pam.d/screensaver
Step 2, reboot (probably not necessary, but I wanted to
Step 3, login as your local admin account, launch System Preferences, toggle to a restricted preference, enter your local admin credential, unlock it.
Step 4, go to Terminal and type sudo klist (I also tried going to Ticket Viewer.

When I tried performing these steps, it told me krb5_cc_get_principal: No credentials cache file found
In other words, it isn't trying to pull a ticket for my local admin account (a good thing). I checked Ticket Viewer as well...no TGTs.

I did make one small error on my previous post though...I left out a minor detail in that I forgot to tell folks to cd the directory to /private/etc/pam.d

Sorry about that, it's important if you use these commands to run them in the following order:

cd /private/etc/pam.d
/usr/bin/perl -pi -e 's/auth       optional       pam_krb5.so use_first_pass use_kcminit/auth     optional         pam_krb5.so use_first_pass default_principal/g' authorization
/usr/bin/perl -pi -e 's/auth       optional       pam_krb5.so use_first_pass use_kcminit/auth     optional         pam_krb5.so use_first_pass default_principal/g' screensaver

Sorry to anyone that may have been had problems following my terminal commands...I do recommend looking at the Penn State folk's write up on the subject. They are very good at finding out this sort of thing.

http://clc.its.psu.edu/UnivServices/itadmins/mac/kerbldaplogins/macosxkerbauthsetup

@jhbush1973 no I'm using 10.8. Glad the Ticket viewer wasn't just me because I don't see a ticket either.

Please can you explain the login window profile? Do you mean you run a script at login etc?

@blackholemac thanks for that. The only difference is to set the automatic login in in System Preferences as my account so that the third party poa pass through works.

What does the command do on the screen saver. If poss I don't want local admins to unlock the screen saver

@blackholemac

Please can you paste your authorization file and I will copy it and see if it makes any difference

Thanks

@tlkimpton as for the screensaver, just drop the second command off those two commands. I am basing this on the Penn State link. In my case, I do want admins to be able to get in at a screensaver.

As for the Penn State link, a weird update it was mysteriously updated today to drop the perl commands...I don't know if there were issues or what, but that might have something to do with it. They seem to work fine for me. Sometime this weekend, I'll make a point to get you that /etc/pam.d/authorization file.

my file looks like this

# authorization: auth account

auth optional pam_krb5.so use_first_pass use_kcminit default_principal

auth sufficient pam_ntlm.so use_first_pass default_principal

auth optional pam_ntlm.so use_first_pass

auth required pam_opendirectory.so use_first_pass nullok

account required pam_opendirectory.so

Single sign on works and show the kerberos ticket in ticket viewer app.

As soon as i unlock a pad lock, say account in system preferences, i can see in ticket viewer the local admin account is added and made default.

Not sure but this could also be to the fact that i use ADmitMac intead of the built in AD Apple Plugin

With my authorization file above i am using a launch daemon with watchpaths to /Library/Preferences/SystemConfiguration/preferences.plist to run this script

#!/bin/bash

# get the 501 account variable
ladmin=`klist -l | grep 501 | cut -c 3-29`

# Check to see if the 501 account is the Principal
if klist -l | grep 501
then

# Destroy the 501 account from the cache
kdestroy -p "${ladmin}"
fi

we are on 10.8.2 and we get a kerberos ticket at login but ticket will get destroyed once I print couple of times.
Has anyone seen this behaviour?

I wanted to add that incase you are getting the opposite behavior with too many tickets due to a user adding a kerberos identity in ticket viewer removing ~/LIbrary/Preferences/com.apple.GSS.items.plist resolves the issue.

One thing i did notice that if the ~/Library/Preferences/com.apple.GSS.items.plist exists with the below, then i can see the Kerberos ticket in the Ticket Viewer

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict> <key>kGSSConfKeys</key> <dict/>
</dict>
</plist>

Does anyone know how i can script this with defaults write. I have tried a few times but i cant seem to get the <dict/> in there