• Home
  • Blog
  • Kerberos on OS X 10.7 (Lion)

Kerberos on OS X 10.7 (Lion)

Vincent Danen

July 26, 2011

So I had upgraded my wife's MacBook to Lion and discovered that, once again, Apple screwed around with Kerberos. This seems to be a recurring theme (and not a good one). After quite a bit of fighting and figuring, a few things have been sorted out. Once I've got it completely figured out, I'll document it on my wiki but in the meantime (since there is a severe shortage of good info about Kerberos in Lion), here's the skinny:

  • MIT Kerberos has been replaced with Heimdal
  • Heimdal seems to prefer UDP over TCP; so if your KDC has a firewall in place to block UDP ports 88 and 749, you probably want to change your firewall rules to allow access to UDP (or you get strange errors: kinit says it can't reach any defined KDC, Ticket Viewer says you provided the wrong password)
  • /Library/Preferences/edu.mit.Kerberos is still a valid configuration file, however you need to remove the quotes (e.g if you have default_realm = "FOO.CA" you need to change that to default_realm = FOO.CA).
  • Subversion (either Lion-supplied or via Fink) does not seem to do GSSAPI negotiation anymore
  • Google Chrome on Lion does not seem to do GSSAPI negotiation anymore
  • Safari on Lion does work with Kerberized (mod_auth_kerb) websites
  • Supposedly you do not need to change /etc/authorization anymore; Lion is using a PAM stack that should give you a ticket upon login (provided your kerberos password and login password are the same (or presumably it is store in your Keychain) -- I've not tested this yet
  • Someone indicated that you can prefix the KDC hostname in /Library/Preferences/edu.mit.Kerberos with "tcp/host" to make Heimdal talk over TCP (preventing the need to open UDP ports), but there is also another indication that this doesn't work -- I've not tested this yet either

Anyways, the point is it's messy. There is an ongoing discussion on the Apple support forums here: https://discussions.apple.com/thread/3189202 so if you're experiencing some oddness (or getting things to work!) please either note in the comments here or on that discussion thread. I would really like to get subversion and Chrome working with kerberos auth again -- those are the only two things preventing me from going forward with Lion on other systems.

Leave a Comment

Comments use MarkDown. Need help? MarkDown Cheatsheet