|
Enabling Kerberos Authentication at Login
|
Enabling Kerberos Authentication at Login allows you to use your Iowa
State Net-ID and Password in Mac OS X's login window and obtain
Kerberos tickets as you login.
For machines that will have local Mac OS X user accounts, you should
first create the Mac OS X user account with the same "short name" as
their Iowa State Net-ID. The password should be something secure and
that you can remember, since this password will be used if your machine
is disconnected from the network and cannot communicate with the
Kerberos server. For security, it is strongly recommended that your local
password be different from your Iowa State Net-ID password. After the
Mac OS X user accounts are created, continue with the steps below
to enable the Kerberos Authentication at Login.
For lab machines, do not create local Mac OS X users at this time, but
continue with the steps to enable the Kerberos Authentication at Login
below. For lab machines, see the
Mac OS X How To for Labs documentation.
|
-
Open "System Preferences"
-
IT Services has put together a Kerberos Login installer that
will enable Kerberos Authentication at Login. This installer is included
in the KerberosConfig-0510.dmg download file.
You can download this Kerberos Login installer from
here (594 KB).
To enable Kerberos Authentication at Login, double-click on the
KerberosConfig-0510.dmg file if it did mount, then double-click on the
KerberosLogin.pkg installer package.
The Kerberos Login installer performs the following (but only if the
/etc/authorization file has not already been changed):
/bin/cp /etc/authorization /etc/authorization.save
/usr/libexec/PlistBuddy /etc/authorization -c "set rights:system.login.console:mechanisms:5 builtin:krb5authnoverify,privileged"
|
|
|
-
Open "System Preferences"
-
IT Services has put together a Kerberos Login installer that
will enable Kerberos Authentication at Login. This installer is included
in the KerberosConfig-0510.dmg download file.
You can download this Kerberos Login installer from
here (594 KB).
To enable Kerberos Authentication at Login, double-click on the
KerberosConfig-0510.dmg file if it did mount, then double-click on the
KerberosLogin.pkg installer package.
The Kerberos Login installer performs the following (but only if the
/etc/authorization file has not already been changed):
/bin/cp /etc/authorization /etc/authorization.save
/usr/libexec/PlistBuddy /etc/authorization -c "set rights:system.login.console:mechanisms:4 builtin:krb5authnoverify,privileged"
|
|
|
-
Open "System Preferences"
-
IT Services has put together a Kerberos Login installer that
will enable Kerberos Authentication at Login. This installer is included
in the KerberosConfig-0510.dmg download file.
You can download this Kerberos Login installer from
here (594 KB).
To enable Kerberos Authentication at Login, double-click on the
KerberosConfig-0510.dmg file if it did mount, then double-click on the
KerberosLogin.pkg installer package.
The Kerberos Login installer performs the following (but only if the
/etc/authorization file has not already been changed):
/bin/cp /etc/authorization /etc/authorization.save
/usr/libexec/PlistBuddy /etc/authorization -c "set rights:system.login.console:mechanisms:4 builtin:krb5authnoverify,privileged"
|
|
|
Requires Mac OS X 10.4.2 - Mac OS 10.4.11
-
Open "System Preferences"
-
Edit the Mac OS X Authorization file. Before changing the
/etc/authorization file, you should make a backup copy in case you need
to go back the origional file.
You must have administrator privilege and use the terminal to edit this file.
sudo cp /etc/authorization /etc/authorization.save
sudo pico -w /etc/authorization
|
Note 1: Text that should be deleted is shown like this.
Note 2: Text that should be added is shown like this.
Note 3: Some text may be wrapped.
Search for:
<key>system.login.console</key>
Change:
(these lines appear several lines further down in the file)
<key>mechanisms</key>
<array>
<string>builtin:auto-login,privileged</string>
<string>loginwindow_builtin:login</string>
<string>builtin:reset-password,privileged</string>
<string>authinternal</string>
<string>builtin:getuserinfo,privileged</string>
<string>builtin:sso,privileged</string>
<string>HomeDirMechanism:login,privileged</string>
<string>HomeDirMechanism:status</string>
<string>MCXMechanism:login</string>
<string>loginwindow_builtin:success</string>
<string>loginwindow_builtin:done</string>
</array>
To:
<key>mechanisms</key>
<array>
<string>builtin:auto-login,privileged</string>
<string>loginwindow_builtin:login</string>
<string>builtin:reset-password,privileged</string>
<string>builtin:krb5authnoverify,privileged</string>
<string>builtin:getuserinfo,privileged</string>
<string>builtin:sso,privileged</string>
<string>HomeDirMechanism:login,privileged</string>
<string>HomeDirMechanism:status</string>
<string>MCXMechanism:login</string>
<string>loginwindow_builtin:success</string>
<string>loginwindow_builtin:done</string>
</array>
|
|
