Help

Kerberos Ticket Destroy and Renewal

Treger
Contributor

Posted on ‎02-26-2015 07:44 AM

HI JAMF peeps,

I thought I would put this out there, I am looking for a script to run that will destroy all existing kerberos tickets and then renew with a single one. We have a finance system that requires this for login via browser and only allows Safari, however if there are multiple tickets, it will not allow you to log in, even if they are current.

I currently have a package that runs to destroy and renew the tickets with a .sh script inside which fills user templates, however it is not reliable, especially from the later versions of 10.9. I was wondering if anyone out there has had to do anything similar? I would myself prefer to run a policy throughout the day or on a timer that automatically renews the ticket instead of having the user manually run this when the problem has already occurred, it also seems as a further step Safari has to be reset for it to be able to realise that a new ticket has been issued. Keychain has become the bane of my life with AD bound Macs.

All feedback is appreciated.

0 Kudos
5 REPLIES 5

davidacland
Honored Contributor II
Honored Contributor II

Posted on ‎02-26-2015 09:05 AM

Not sure if its still the case now but OS X traditionally didn't destroy existing tickets at logout. As kerberos tickets are obtained at login (assuming the Mac is on the network), it might be worth just using a policy, triggered ongoing at logout to run ```
kdestroy
```
You could then just advise the users to logout at the end of each day and login at the start.

You can script kinit various ways to get tickets but having the user login fresh each day might be a cleaner / simpler solution.

0 Kudos

Treger
Contributor

Posted on ‎02-27-2015 12:35 AM

Hi David,

This is very true, however, my users hardly ever reboot and thats why I have this issue, even with explaining to them the reboot and login connected to the network will remove this issue altogether they still don't listen. Even to the extent they will bring the laptop round or call up and then say they have rebooted and it has not worked, go into terminal and do a simple uptime command and you can see the machine has been on from anywhere from 4 days to over 2 weeks. This particular issue contributes to a large number of calls to the helpdesk and I was just trying to see if I could reduce it. Even just a reboot to refresh the system for day to day running of apps etc seems to be a problematic reasoning to follow...

0 Kudos

bentoms
Release Candidate Programs Tester

Posted on ‎02-27-2015 12:40 AM

/url">@Treger][/url, maybe: [https://yourmacguy.wordpress.com/kerbminder/

0 Kudos

Treger
Contributor

Posted on ‎02-27-2015 01:02 AM

Thanks @bentoms, This may be something I can use!

0 Kudos

RobertHammen
Valued Contributor II

Posted on ‎02-27-2015 05:51 AM

There are some scripts on this site that will start nagging users when uptime reaches x number of days. I haven't used one at a client yet, but am about to.

0 Kudos