Is there any way to "automate" kerberos authentication on Mac OS X? Here's the problem: When a user wants to access samba-3.0.2a -server from a Mac, he/she has to run "kinit" to get the principal ticket. If this is not done, Mac's tools (Finder) will try to authenticate with NTLM, which is and will be disabled on our servers. Of course, this fails miserably. I have not devised any means to tell the Mac -clients to use kerberos, unless the kerberos ticket is explicitly loaded prior to attempting connections. In such a case, everything works fine, but it is kind of impractical to tell the users to issue "kinit" manually once a day to load new tickets after them expiring. How could this be integrated to Mac's own tools? Possible solutions would be to use the screen saver password locking to forward the information to kerberos (i.e. run kinit with the password and username from the screen saver) or to have Mac-programs authenticate with kerberos by default. I only haven't found a way to implement this easily. Are there other possibilities? -- ArNO 2
ww m-pubsyssamba
2004-Mar-12 10:59 UTC
[Samba] Automating kerberos authentication on Mac OS X?
Hi Arno, you may already know this but you need a ticket granting ticket to enable Kerberos authentication to other services, this is obtained manually by kinit or by some other custom means. So your problem is automating the getting the ticket granting ticket. Try this link it explains how configure OS X to obtain a TGT at logon, http://www.public.iastate.edu/~macosx/how-to.html thanks Andy. PS I haven't personally tested this, but had something similar working with OS X 10.2. -----Original Message----- From: samba-bounces+pubsyssamba=bbc.co.uk@lists.samba.org [mailto:samba-bounces+pubsyssamba=bbc.co.uk@lists.samba.org]On Behalf Of Arno Hahma Posted At: 12 March 2004 10:36 Posted To: Samba Conversation: [Samba] Automating kerberos authentication on Mac OS X? Subject: [Samba] Automating kerberos authentication on Mac OS X? Is there any way to "automate" kerberos authentication on Mac OS X? Here's the problem: When a user wants to access samba-3.0.2a -server from a Mac, he/she has to run "kinit" to get the principal ticket. If this is not done, Mac's tools (Finder) will try to authenticate with NTLM, which is and will be disabled on our servers. Of course, this fails miserably. I have not devised any means to tell the Mac -clients to use kerberos, unless the kerberos ticket is explicitly loaded prior to attempting connections. In such a case, everything works fine, but it is kind of impractical to tell the users to issue "kinit" manually once a day to load new tickets after them expiring. How could this be integrated to Mac's own tools? Possible solutions would be to use the screen saver password locking to forward the information to kerberos (i.e. run kinit with the password and username from the screen saver) or to have Mac-programs authenticate with kerberos by default. I only haven't found a way to implement this easily. Are there other possibilities? -- ArNO 2 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba