Macintosh Development |
[Home]
[About Us]
[People]
[Information Systems]
[Kerberos for Macintosh]
[Applications]
[Miscellaneous Documentation]
Kerberos Preferences on Mac OS X 10.3 Documentation |
This web page discusses the
edu.mit.Kerberos
(Kerberos configuration) file: what's in it, where it goes, and how to configure it for distribution at your site.The information on this page applies to Mac OS X 10.3 only. For links to preferences documentation for previous Mac OS versions, click here.
About the edu.mit.Kerberos File
Setting up a Configuration File Quick Guide
edu.mit.Kerberos
File Locations
About the edu.mit.Kerberos File
The
edu.mit.Kerberos
file is where the Kerberos v4 and v5 configuration information is stored on Mac OS X. Formerly the Kerberos Login Library and Kerberos management application preferences were stored in it, but they now have their own preference files:edu.mit.Kerberos.KerberosLogin.plist
andedu.mit.Kerberos.KerberosApp.plist
.The
edu.mit.Kerberos
file stores this information in its data fork, which contains the realm and server configuration information (the info that would be found in thekrb5.conf
file on Unix). See the Kerberos Configuration section for more information.On some systems there may up to three configuration files - two
edu.mit.Kerberos
files in the "system" and "user" locations, and KfM now accepts the standard Unix location and name of/etc/krb5.conf
for the configuration file as well. Some settings in theedu.mit.Kerberos.KerberosLogin.plist
file can override settings in theedu.mit.Kerberos
as well. See the edu.mit.Kerberos File Locations section for more information about why this is so.
Setting up a Configuration File Quick Guide
We recommend that you read this entire page. However, if you are in a hurry to get Kerberos for Macintosh up and working:
You need to create an
edu.mit.Kerberos
file in the/Library/Preferences
directory which contains the realm and server configuration information for your site, although:
- if your site supports DNS configuration of Kerberos realms, you may not need a configuration file, or at least not a complete one - see the About DNS Configuration section;
- if you upgraded from a previous version of Mac OS X which was using Kerberos successfully, you probably already have a properly configured file and no changes are necessary to use it under Mac OS X 10.3;
- if you've run the Mac OS X Kerberos Extras installer, you will already have a file in the correct place, but which contains MIT configuration information (which is provided as a guideline);
- if you have a functioning Mac OS 9.x Kerberos installation, you can simply copy the
Kerberos Preferences
file from theKerberos
folder inApplication Support
from your Mac OS 9 volume to the/Library/Preferences
on your Mac OS X volume, and rename it toedu.mit.Kerberos
.Otherwise:
- Create a plain text file named
edu.mit.Kerberos
in/Library/Preferences
, using BBEdit, emacs, Codewarrior, or using TextEdit with the "Make Plain Text" option (it must be a plain text file, not styled text or in a word processor format);- Add the Kerberos realm and server configuration in the data fork of this file. See the Kerberos Configuration section for the proper format.
Note - while there may also be an
edu.mit.Kerberos
file in your/Users/username/Library/Preferences
directory, you should place your configuration information in the/Library/Preferences
location. (See edu.mit.Kerberos File Locations for more details.)
edu.mit.Kerberos File Locations
Kerberos for Macintosh supports and looks for its configuration file in three locations - two are standard locations and the third for Unix compatibility:
/Library/Preferences/edu.mit.Kerberos
- the standard "system" location that contains the configuration to be used by all users of the computer,/Users/username/Library/Preferences/edu.mit.Kerberos
- the standard "user" location containing additional configuration for an individual user,/etc/krb5.conf
- the Unix compatibility location. Any configuration file in this location will also apply to all users of the computer.The typical case is to have the Kerberos configuration information in the standard system configuration file, and no user configuration file or Unix compatibility file.
However there may be circumstances where a user wants to have additional realm and server information not shared with other users on the same machine. You can add any additional realm and server configuration information to the user configuration file, and KfM will meld the two sets of information together. You should avoid duplicate realm entries - if you have the same entry with different information in different configuration files, the behavior is not defined and you may get unexpected results.
If the user wants to have additional items in the
[libdefaults]
section, it's important to be aware of the order in which KfM reads the configuration files, because in case of conflicting[libdefaults]
entries, the entry read first is the one that KfM will use (this is different from the situation with realm entries, which are merged). KfM first reads the configuration file in the user location, then the one in the system location, and finally the Unix compatibility location.Similarly, if there is a configuration file in the Unix compatibility location, KfM will attempt to meld those the information in it together with any other configuration files present, with behavior as described above.
Having just a user configuration file and no system configuration file is not a supported setup. For instance, getting Kerberos tickets at login time will not work if you only have a user configuration file.
Note: some settings in the
edu.mit.Kerberos.KerberosLogin.plist
, the Kerberos Login Library preferences file, can effectively override settings in theedu.mit.Kerberos
file. These settings can be modified using the Kerberos GUI management application/System/Library/Coreservices/Kerberos
.Generally, site settings go in the
/Library/Preferences/edu.mit.Kerberos
file, and user settings will go into~/Library/Preferences/edu.mit.Kerberos.KerberosLogin.plist
(via changing settings in Kerberos.app). The Kerberos Login preferences exist so that the user can change their ticket management preferences without changing those preferences for every user on the machine. One user might always want addressless tickets, but another user might not.In addition, there are some options which cannot be set with the
[libdefaults]
section of theedu.mit.Kerberos
file. For instance, there is noedu.mit.Kerberos
file preference to set the default ticket lifetime - despite config files which claim there is a "ticket_lifetime" tag, no code actually looks for it.
About Kerberos Configuration Information
The Kerberos v4 and v5 configurations are stored in the data fork of
edu.mit.Kerberos
.This text is similar to that of
krb5.conf
on Unix machines orkrb5.ini
on Windows machines. The configuration tells Kerberos for Macintosh what realms exist, what Kerberos versions are supported by them, and where to find the servers. You should edit this file for your site by opening theedu.mit.Kerberos
file in a text editor that will save the file as pure text again, ie: BBEdit, emacs, or CodeWarrior; but not TextEdit (unless you use the "Make Plain Text" command) or Microsoft Word.Once you are done editing the
edu.mit.Kerberos
file, you should log out, and then you may want to use the "Edit Favorite Realms" feature of the Kerberos management application to add your realms to the pop-up menu in the Login dialog.Here is an example Kerberos configuration:
[libdefaults] default_realm = ATHENA.MIT.EDU noaddresses = TRUE [realms] ATHENA.MIT.EDU = { kdc = kerberos.mit.edu.:88 kdc = kerberos-1.mit.edu.:88 kdc = kerberos-2.mit.edu.:88 admin_server = kerberos.mit.edu. default_domain = mit.edu } MEDIA-LAB.MIT.EDU = { kdc = kerberos.media.mit.edu. admin_server = kerberos.media.mit.edu. } [domain_realm] .mit.edu = ATHENA.MIT.EDU mit.edu = ATHENA.MIT.EDU .media.mit.edu = MEDIA-LAB.MIT.EDU media.mit.edu = MEDIA-LAB.MIT.EDU [v4 realms] ATHENA.MIT.EDU = { kdc = kerberos.mit.edu. kdc = kerberos-1.mit.edu. kdc = kerberos-2.mit.edu. admin_server = kerberos.mit.edu. default_domain = mit.edu } UMICH.EDU = { kdc = kerberos.umich.edu. admin_server = kerberos.umich.edu. default_domain = umich.edu } [v4 domain_realm] .mit.edu = ATHENA.MIT.EDU mit.edu = ATHENA.MIT.EDU .umich.edu = UMICH.EDU umich.edu = UMICH.EDUThe
[libdefaults]
section describes what the default behavior of the Kerberos libraries should be. You should always fill in the default realm. If you have Kerberos v5 at your site, you should also copy any other[libdefaults]
from your site'skrb5.conf
orkrb5.ini
.Note that Kerberos for Macintosh does not honor any
ticket_lifetime
entry in[libdefaults]
. The default lifetime that will be used by both the Kerberos Login dialog and kinit is the one you specify in the GUI Kerberos management application preferences, although you can specify a different lifetime when you log in if you want.The
[realms]
and[domain_realm]
sections refer to Kerberos v5 realms. If your site is v4-only you should omit these sections. Otherwise just copy these sections from your site'skrb5.conf
orkrb5.ini
.The
[v4 realms]
and[v4 domain_realm]
sections refer to Kerberos v4 realms. If your site is v5-only you should omit these sections. Otherwise you will need to create entries for each of the Kerberos v4 realms at your site. You should not specify a string_to_key_type for v4 realms anymore, because that information will be ignored - KfM will automatically determine the correct one to use.
Some sites have configured their DNS servers to provide information about local Kerberos realm configuration, such that users need only a minimum configuration file and instead can get the rest of the Kerberos configuration information over the network. For more information about DNS, see the Using DNS section of the Kerberos V5 System Administrator's Guide.
You should always have a configuration file that has a
[libdefaults]
section with adefault_realm
specified. Otherwise, getting Kerberos tickets at login time may fail.If your Kerberos realm is named the same as your domain name, e.g. your domain name = foo.bar.edu and your Kerberos realm = FOO.BAR.EDU, you do not need any more information in your local configuration file, assuming all the realms you need to access have DNS records.
Otherwise, you also need a
[domain_realm]
section, mapping your domain to the appropriate realms. You can omit the[realms]
sections of the configuration file.DNS configuration of realms only applies to Kerberos v5, so unless your site does krb524 on the server, you will need to include v4 information in a local configuration file.
If you want to disable DNS lookup of Kerberos realms on your Macintosh, add the line:
dnsfallback = no
to the
[libdefaults]
section of your Kerberos configuration file.
Questions or comments? Send mail to macdev@mit.edu
Last updated on $Date: 2004/06/11 18:47:42 $
Last modified by $Author: lxs $