While Apple's previous iPod media players used a minimal operating system, the iPhone used an operating system based on Mac OS X, which would later be called 'iPhone OS' and then iOS. The simultaneous release of two operating systems based on the same frameworks placed tension on Apple, which cited the iPhone as forcing it to delay Mac OS X 10. Some users have reported long delays when using kinit with Mac OS X 10.2 and later. There is a bug in these versions of the operating system that causes kinit to query the Kerberos 5-to-4 ticket translator service many times. These spurious queries cause the delays.
On this page:
Overview
Kerberos is Indiana University's chosen standard fornetwork authentication. It is the authoritative source forall Network ID passphrases. Infinir mac os. You need to remember only onepassphrase to access any of the IU services that support Kerberosauthentication, and because Kerberos passphrases are centrallymaintained, no passphrases need to be stored on the computers thatprovide those services (though you may want backup passphrases storedthere for reasons described below under 'Caveats').
Mac OS X has some support for Kerberos authentication inthe Login Window. That is, you can configure your Mac so you can loginto it using your IU Network ID.
Caveats
There are a couple of subtleties in Mac OS X's Kerberos implementationthat you should be aware of before using it. First, only the LoginWindow, Mail, and telnet seem to support Kerberos (thelatter two only in Mac OS X 10.2 and later). The password feature ofthe Screen Effects screen saver still uses the conventionalUnix password, as does the sudo command. Ifyou use either of these, and possibly anything else that accepts apassword, you may need to maintain a local password on the computer.It's a good idea to do so anyway if you are the maintainer of thatcomputer. If you ever have network problems and Kerberos becomesunavailable, that local password will save you from being locked out.
Second, be aware that using Kerberos doesn't preclude maintainingaccounts on your computers. You still have to create accounts locally (or provide them via NetInfo or LDAP) for people who need to use the system, even if their local passwords are disabled.
In addition to these caveats, there are some inconveniences.The version of SSH that ships with Mac OS X will notforward Kerberos credentials to remote hosts. Normally, you wouldn'thave to type your password again when making an SSH connection to aremote host that supports Kerberos authentication to a realm you'vealready logged into. But currently this feature is not available withMac OS X's version of SSH.
Kerberos configuration
To configure Kerberos on your Mac, you need to create anedu.mit.Kerberos preferences file. This file isequivalent to the krb5.conf file on other Unix systems.For information on how to create this file, see the following web siteat MIT: Seasons (2010) mac os.
When you are ready to set up your system at IU, use the samplekrb5.conf file at:
Note: You will need to use your IU Network ID toaccess the above site.
Once Kerberos is configured, you can test it by enteringkinit at the Unix prompt. You should then see thefollowing prompt:
Enter your username; you should then see:
Against The Gods Mac Os Update
Instead of username, you should see your Network IDusername. If you do not, or you see something other than 'IU.EDU', youhave probably configured your edu.mit.Kerberospreferences incorrectly.
If you enter your Network ID passphrase at the prompt, you should getyour shell prompt back without an error message. Toconfirm that kinit was successful, enterklist to view your ticket cache. You should then seesomething like the following:
If you see 'krbtgt/IU.EDU@IU.EDU', the ticket-granting ticket, youhave successfully authenticated. If you have trouble getting to thispoint, double-check your edu.mit.Kerberos preferences.
Troubleshooting
ipfw
If you've configured ipfw, Mac OS X's built-inpacket filter software, be sure to allow outgoing UDPpackets to port 88 and their responses through the filter. If you donot use ipfw, or you have only configured it using theGUI interface in Jaguar, you needn't worry about this. Formore information about configuring ipfw at IU, contact theUITS Support Center.
ipfw
If you've configured ipfw, Mac OS X's built-inpacket filter software, be sure to allow outgoing UDPpackets to port 88 and their responses through the filter. If you donot use ipfw, or you have only configured it using theGUI interface in Jaguar, you needn't worry about this. Formore information about configuring ipfw at IU, contact theUITS Support Center.
kinit delays
Against The Gods Mac Os Catalina
Some users have reported long delays when using kinitwith Mac OS X 10.2 and later. There is a bug in these versions of theoperating system that causes kinit to query the Kerberos5-to-4 ticket translator service many times. These spurious queriescause the delays. IU doesn't use the ticket translator service, andthe delays are exacerbated by the firewalls that protect the Kerberosservers because they block access to this particular service. If youuse the packet filtering software that ships with Mac OS X(ipfw), it may also be a bottleneck.
Against The Gods Mac Os 11
Until Apple fixes this bug, you can use ipfw to rejectthese requests before they leave your computer, speeding upkinit considerably:
You must be an administrative user to use this command, which willprompt you for your password. It will work only until your nextreboot. If you know how to configure the built-in ipfwpacket filtering software, you can make this change permanent. Don'tattempt this, however, unless you are comfortable with administering aUnix system. For more information, see:
Configuring the Login Window to use Kerberos
Make sure you can successfully get tickets with kinit asdescribed in the previous section before attempting to configure theLogin Window. If kinit doesn't work, the Login Window'sKerberos support definitely won't work. To enable Kerberosauthentication in the Login Window, you must enable the Kerberos LoginAuthenticator. The exact procedure depends on your version of Mac OSX. For 10.1, see MIT's document on enabling the Kerberosauthenticator:
For 10.2 and later, see Apple's knowledge base:
Once the Login Window is configured to use Kerberos, remember that ifthe network becomes unavailable, users won't be able to authenticate.For this reason, you may want to continue to maintain local passwords,at least for administrative users.
