Lion Server, Kerberos, and Lion and Ubuntu Clients
Vimia's infrastructure has been based on Ubuntu 9.04 server VMs running under Xen. The clients are nearly all Mac OS X machines. Retiring one of those Mac OS X clients has freed up a machine on which to try Mac OS X Server, which in Version 10.7 (Lion) is available for only CHF 48.00 from the Mac App Store.
The Lion server now runs DHCP, DNS, Mail and Open Directory (as a master). The interesting thing is that it also runs Kerberos in the background, meaning that users registered in Open Directory (OD) automatically get Kerberos principals. Kerberos can be a frightening piece of software, so anything which automates its use has got to be a good thing.
So, how do you log into Lion and Ubuntu clients using Kerberos and Lion server? It's relatively simple, once you've trawled the Internet for the appropriate information.
Note that I'm using only Mac OS X Lion (server and client) and Ubuntu 11.10. Other configurations may behave differently. I assume that you've set up DNS and Open Directory correctly in Lion Server.
I also assume that you know how to work with Unix/Linux command lines and use
sudo and appropriate text editors.
Configure the server
First of all, you need to advertise the Kerberos infrastructure in your network. You do this by adding service records (SRV) to your DNS zone. In the DNS configuration on Lion Server, you end up with something like the following:
In the following, replace
domain.xx with your own domain.
Create a DNS machine record (A) for the Lion server: I have used
kerberos.domain.xxin this example. This is used in the service records.
Create the following service records:
After stopping and restarting the DNS server, the service records are available throughout your network.
If you are using a Bind DNS on a different platform instead of Lion Server, the following configuration will have the same effect:
_kerberos.domain.xx. 10800 IN TXT "DOMAIN.XX" _kerberos-adm._tcp.domain.xx. 10800 IN SRV 0 0 749 kerberos.domain.xx. _kerberos._udp.domain.xx. 10800 IN SRV 0 0 88 kerberos.domain.xx. _kerberos-master._udp.domain.xx. 10800 IN SRV 0 0 88 kerberos.domain.xx. _kpasswd._udp.domain.xx. 10800 IN SRV 0 0 464 kerberos.domain.xx. kerberos.domain.xx. 10800 IN A 192.168.1.30
Configure a Mac OS X Lion client
There are two steps to be taken so that a user can login on a Lion client and receive a Kerberos ticket.
Create the file
/Library/Preferences/edu.mit.Kerberoswith the following content:
[libdefaults] ticket_lifetime = 36000 allow_weak_crypto = TRUE noaddresses = TRUE forwardable = TRUE default_realm = DOMAIN.XX [domain_realm] .domain.xx = DOMAIN.XX domain.xx = DOMAIN.XX
Modify the file
auth optional pam_krb5.so use_first_pass use_kcminit default_principal auth optional pam_ntlm.so use_first_pass auth required pam_opendirectory.so use_first_pass nullok account required pam_opendirectory.so
Configure an Ubuntu client
There are also two steps to be taken so that a user can login on an Ubuntu client and receive a Kerberos ticket.
Issue the following command to install required and useful Ubuntu packages:
sudo apt-get install krb5-user libpam-krb5 libpam-ccreds auth-client-config
Create the file
/etc/krb5.confwith the following content:
[libdefaults] default_realm = DOMAIN.XX