StartseiteWeblogsWeblog von steve

Lion Server, Kerberos, and Lion and Ubuntu Clients

Verfasst von steve am Do, 08.12.2011 - 22:42

Vimia's infrastructure has been based on Ubuntu 9.04 server VMs running under Xen. The clients are nearly all Mac OS X machines. Retiring one of those Mac OS X clients has freed up a machine on which to try Mac OS X Server, which in Version 10.7 (Lion) is available for only CHF 48.00 from the Mac App Store.

The Lion server now runs DHCP, DNS, Mail and Open Directory (as a master). The interesting thing is that it also runs Kerberos in the background, meaning that users registered in Open Directory (OD) automatically get Kerberos principals. Kerberos can be a frightening piece of software, so anything which automates its use has got to be a good thing.

So, how do you log into Lion and Ubuntu clients using Kerberos and Lion server? It's relatively simple, once you've trawled the Internet for the appropriate information.

Note that I'm using only Mac OS X Lion (server and client) and Ubuntu 11.10. Other configurations may behave differently. I assume that you've set up DNS and Open Directory correctly in Lion Server.

I also assume that you know how to work with Unix/Linux command lines and use sudo and appropriate text editors.

Configure the server

First of all, you need to advertise the Kerberos infrastructure in your network. You do this by adding service records (SRV) to your DNS zone. In the DNS configuration on Lion Server, you end up with something like the following:

201112081755.jpg

In the following, replace domain.xx with your own domain.

  1. Create a DNS machine record (A) for the Lion server: I have used kerberos.domain.xx in this example. This is used in the service records.
  2. Create the following service records:
    • _kerberos._udp
    • _kerberos-master._udp
    • _kerberos-adm._tcp
    • _kpasswd._udp

    as above.

After stopping and restarting the DNS server, the service records are available throughout your network.

If you are using a Bind DNS on a different platform instead of Lion Server, the following configuration will have the same effect:

_kerberos.domain.xx.              10800 IN TXT   "DOMAIN.XX"
_kerberos-adm._tcp.domain.xx.     10800 IN SRV   0 0 749 kerberos.domain.xx.
_kerberos._udp.domain.xx.         10800 IN SRV   0 0  88 kerberos.domain.xx.
_kerberos-master._udp.domain.xx.  10800 IN SRV   0 0  88 kerberos.domain.xx.
_kpasswd._udp.domain.xx.          10800 IN SRV   0 0 464 kerberos.domain.xx.
kerberos.domain.xx.               10800 IN A     192.168.1.30

Configure a Mac OS X Lion client

There are two steps to be taken so that a user can login on a Lion client and receive a Kerberos ticket.

  1. Create the file /Library/Preferences/edu.mit.Kerberos with the following content: 
    [libdefaults]
    ticket_lifetime = 36000
    allow_weak_crypto = TRUE
    noaddresses = TRUE
    forwardable = TRUE
    default_realm = DOMAIN.XX

[domain_realm]
    .domain.xx = DOMAIN.XX
    domain.xx = DOMAIN.XX
  2. Modify the file /etc/pam.d/authorization as follows: 
    auth     optional   pam_krb5.so use_first_pass use_kcminit default_principal
auth     optional   pam_ntlm.so use_first_pass
auth     required   pam_opendirectory.so use_first_pass nullok
account  required   pam_opendirectory.so

Configure an Ubuntu client

There are also two steps to be taken so that a user can login on an Ubuntu client and receive a Kerberos ticket.

  1. Issue the following command to install required and useful Ubuntu packages: 
    sudo apt-get install krb5-user libpam-krb5 libpam-ccreds auth-client-config
  2. Create the file /etc/krb5.conf with the following content: 
    [libdefaults]
        default_realm = DOMAIN.XX

That's it!