- Jamf Nation Community
- Products
- Jamf Pro
- OT: Kerberos ticket renewal 10.7
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-20-2012 11:04 AM
A bit off topic - but putting this out there anyway...
With 10.6.x the Kerberos Agent would pop up a polite GUI requesting password which could be called from a script as follows: echo '' | sudo -u $user kinit
This could be used to automate prompting a user to re-authenticate and preventing ticket expiry.
With Kerberos changes in Lion what are others using to prevent ticket expiry/renewal?
Thanks,
Lisa.
Solved! Go to Solution.
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-21-2012 09:30 AM
Peter Bukowinski just posted this on his Twitter feed:
https://gist.github.com/2149196
try
-- test for Kerberos ticket presence and attempt to renew
set kerb to do shell script "/usr/bin/klist | /usr/bin/grep krbtgt"
set renewKerb to do shell script "/usr/bin/kinit -R"
on error
-- offer to renew Kerberos ticket
set response to (display dialog "No Kerberos ticket was found. Do you want to renew it?" with icon 2 buttons {"No", "Yes"} default button "Yes")
if button returned of response is "Yes" then
try
set thePassword to text returned of (display dialog "Enter your password:" default answer "" with hidden answer)
do shell script "/bin/echo '" & thePassword & "' | /usr/bin/kinit -l 10h -r 10h --password-file=STDIN"
display dialog "Kerberos ticket acquired." with icon 1 buttons {"OK"} default button 1
on error
try
set thePassword to text returned of (display dialog "Password incorrect. Please try again:" default answer "" with icon 2 with hidden answer)
do shell script "/bin/echo '" & thePassword & "' | /usr/bin/kinit -l 10h -r 10h --password-file=STDIN"
display dialog "Kerboros ticket acquired." with icon 1 buttons {"OK"} default button 1
on error
display dialog "Too many incorrect attempts. Stopping to avoid account lockout." with icon 2 buttons {"OK"} default button 1
end try
end try
else -- if No is clicked
quit
end if
end try
12 REPLIES 12
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-20-2012 11:47 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-21-2012 09:21 AM
set thePassword to text returned of (display dialog "Enter your password:" default answer "" with hidden answer)
do shell script "/bin/echo '" & thePassword & "' | /usr/bin/kinit -l 10h -r 10h --password-file=STDIN"
that renews for 10 hours
do shell script "/usr/bin/kinit -R"
will only work in cases where you don't need to re-enter your password. If you do need to enter the password again
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-21-2012 09:30 AM
Peter Bukowinski just posted this on his Twitter feed:
https://gist.github.com/2149196
try
-- test for Kerberos ticket presence and attempt to renew
set kerb to do shell script "/usr/bin/klist | /usr/bin/grep krbtgt"
set renewKerb to do shell script "/usr/bin/kinit -R"
on error
-- offer to renew Kerberos ticket
set response to (display dialog "No Kerberos ticket was found. Do you want to renew it?" with icon 2 buttons {"No", "Yes"} default button "Yes")
if button returned of response is "Yes" then
try
set thePassword to text returned of (display dialog "Enter your password:" default answer "" with hidden answer)
do shell script "/bin/echo '" & thePassword & "' | /usr/bin/kinit -l 10h -r 10h --password-file=STDIN"
display dialog "Kerberos ticket acquired." with icon 1 buttons {"OK"} default button 1
on error
try
set thePassword to text returned of (display dialog "Password incorrect. Please try again:" default answer "" with icon 2 with hidden answer)
do shell script "/bin/echo '" & thePassword & "' | /usr/bin/kinit -l 10h -r 10h --password-file=STDIN"
display dialog "Kerboros ticket acquired." with icon 1 buttons {"OK"} default button 1
on error
display dialog "Too many incorrect attempts. Stopping to avoid account lockout." with icon 2 buttons {"OK"} default button 1
end try
end try
else -- if No is clicked
quit
end if
end tryOptions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-21-2012 12:05 PM
Thank you - will make a few changes and do some testing
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-21-2012 12:42 PM
me and Peter talked about this this morning that was the solution we came up with.
if you make a launcher agent to run an apple script app to run this every 9.5 hour since tickets expire every 10 hours
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.logon.RenewKerberos</string>
<key>ProgramArguments</key>
<array>
<string>/Applications/~~ Misc/Renew Kerberos Ticket .app/Contents/Resources/Scripts/main.scpt</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>StartInterval</key>
<integer>34200</integer>
</dict>
</plist>
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-22-2012 01:45 PM
Thank you for sharing!
The script runs well, though I made a few site specific changes. Will run via policy rather than launchd so to distinguish for laptops whether on or off site.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-27-2012 08:09 AM
am trying to push it out as a policy but am getting an error:
"AppleScript execution error: No user interaction allowed. (-1713)"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-27-2012 09:28 AM
Policies will run under each machine's local Casper administrative account but the AppleScript must run under the user account that needs its Kerberos ticket renewed.
Running the script using the launchd agent you mentioned earlier is probably the better solution for triggering this.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-28-2012 10:28 AM
The script is running in testing, I modified the script. My understanding was that policies run as root, so the kinit would need to run as the user.
sudo -u $username kinit
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-28-2012 02:19 PM
can you post your modified version of the script
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-29-2012 08:50 AM
Sorry I can't post the whole script. however here are the excerpts and explanation that I think are important. This is the snow leopard version. For Lion use the apple script above to generate the UI, however same logic to determine the user, and run as the user.
Determine the current user as the policy runs as root and you need tickets for the logged in user not root:
user=/usr/bin/who | /usr/bin/grep console | /usr/bin/cut -d " " -f 1
echo "identified user is $user"
Determine when the users ticket is set to expire and later use this time to attempt to renew if within a threshold you determine. (ie. if ticket expires within x, then attempt to renew)
sudo -u lets you run as the user rather than for root.
kexpire=sudo -u $user klist | grep krbtgt | awk '{print $3, $4}'
use the -r option with kinit to attempt to renew.
or request a ticket if the ticket has expired.
echo '' | sudo -u $user kinit -l 10h
In snow leopard this will cause the kerberos agent to launch and prompt for password. The Apple Script above provides the UI for the Lion users.
Scope by policy to Lion or snow leopard clients (2 scripts). Run on every hour with ongoing frequency depending on your ticket lifetimes - be sure to exit early if there is no logged in user.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-20-2014 01:41 PM
This information is helpful. I am a novice when it comes to automating this process. We have an issue where if our users restart their computer their kerberos credentials are removed. We have many laptop users and they do not connect via Ethernet before logging back in after restarting. This means they do not acquire a new Kerberos ticket. We also use Centrify Express to bind our Macs. Is there a way to automate this process for our Mac laptop users?
I've created an AppleScript command that can be run via Self Service after they've logged in and are connected via Wi-Fi to retrieve a new Kerberos Ticket so that they can print.
#! /bin/sh
osascript -e 'launch application "Terminal"' -e 'tell application "Terminal" to activate' -e 'tell application "Terminal" to do script with command "login $USER" in window 1' -e 'delay 15' -e 'do shell script "killall Terminal"'It would be great to just request the ticket for them automatically using the currently logged user's password. Is this possible? Thanks for the help!
