Kerberos on OS X 10.7 (Lion)
So I had upgraded my wife's MacBook to Lion and discovered that, once again, Apple screwed around with Kerberos. This seems to be a recurring theme (and not a good one). After quite a bit of fighting and figuring, a few things have been sorted out. Once I've got it completely figured out, I'll document it on my wiki but in the meantime (since there is a severe shortage of good info about Kerberos in Lion), here's the skinny:
- MIT Kerberos has been replaced with Heimdal
- Heimdal seems to prefer UDP over TCP; so if your KDC has a firewall in place to block UDP ports 88 and 749, you probably want to change your firewall rules to allow access to UDP (or you get strange errors: kinit says it can't reach any defined KDC, Ticket Viewer says you provided the wrong password)
- /Library/Preferences/edu.mit.Kerberos is still a valid configuration file, however you need to remove the quotes (e.g if you have
default_realm = "FOO.CA" you need to change that to
default_realm = FOO.CA).
- Subversion (either Lion-supplied or via Fink) does not seem to do GSSAPI negotiation anymore
- Google Chrome on Lion does not seem to do GSSAPI negotiation anymore
- Safari on Lion does work with Kerberized (mod_auth_kerb) websites
- Supposedly you do not need to change /etc/authorization anymore; Lion is using a PAM stack that should give you a ticket upon login (provided your kerberos password and login password are the same (or presumably it is store in your Keychain) -- I've not tested this yet
- Someone indicated that you can prefix the KDC hostname in /Library/Preferences/edu.mit.Kerberos with "tcp/host" to make Heimdal talk over TCP (preventing the need to open UDP ports), but there is also another indication that this doesn't work -- I've not tested this yet either
Anyways, the point is it's messy. There is an ongoing discussion on the Apple support forums here: https://discussions.apple.com/thread/3189202 so if you're experiencing some oddness (or getting things to work!) please either note in the comments here or on that discussion thread. I would really like to get subversion and Chrome working with kerberos auth again -- those are the only two things preventing me from going forward with Lion on other systems.
Leave a Comment