Knowledge base

OS X Lion: Enabling Kerberos authentication with a third-party Key Distribution Center

Posted in Apple Mac OS

Summary

Learn how to configure OS X Lion to authenticate against a third-party Key Distribution Center (KDC).

  1. Per the kbr5.conf(5) manual page, create /etc/krb5.conf with your site-specific information. Here is an example of a basic krb5.conf file:
    [libdefaults]
    	default_realm = EXAMPLE.COM
    [realms]
    	EXAMPLE.COM = {
    		admin_server = kdc.example.com
    		kdc = kdc.example.com
    		kpasswd = kdc.example.com
    	}
  2. In order to obtain a Ticket Granting Ticket (TGT) when logging in via the login window, edit /etc/pam.d/authorization per the pam_krb5(8) manual page. For example, you must add the default_principal option to the pam_krb5.so line if you'll be using user accounts which don't contain a valid AuthenticationAuthority attribute:
    auth       optional       pam_krb5.so use_first_pass use_kcminit default_principal
  3. In order to obtain a Ticket Granting Ticket (TGT) when authenticating to the Screen Saver, edit /etc/pam.d/screensaver per the pam_krb5(8) manual page. As with /etc/pam.d/authorization, you must add the default_principal option to the pam_krb5.so line if you'll be using user accounts which don't contain a valid AuthenticationAuthority attribute:
    auth       optional       pam_krb5.so use_first_pass use_kcminit default_principal
  4. Log out and log back in via the login window as a user whose short name matches the a user principal in the Kerberos database of the KDC specified in /etc/krb5.conf. You should now see that you've obtained a TGT by using the Ticket Viewer application (located in /System/Library/CoreServices) or by executing klist in the Terminal application.

Additional Information

Note: This article does not apply if an OS X Server or Active Directory server is being used as the KDC.

Read more http://support.apple.com/kb/HT5385