Node:Mac OS X Configuration, Previous:Client Machine Configuration Files, Up:Client Machine Configuration Files



Mac OS X Configuration

To install Kerberos V5 on Mac OS X and Mac OS X Server, follow the directions for generic Unix-based OS's, except for the /etc/services updates described above.

Mac OS X and Mac OS X Server use a database called NetInfo to store the contents of files normally found in /etc. Instead of modifying /etc/services, you should run the following commands to add the Kerberos service entries to NetInfo:

     $ niutil -create . /services/kerberos
     $ niutil -createprop . /services/kerberos name kerberos kdc
     $ niutil -createprop . /services/kerberos port 750
     $ niutil -createprop . /services/kerberos protocol tcp udp
     $ niutil -create . /services/krbupdate
     $ niutil -createprop . /services/krbupdate name krbupdate kreg
     $ niutil -createprop . /services/krbupdate port 760
     $ niutil -createprop . /services/krbupdate protocol tcp
     $ niutil -create . /services/kpasswd
     $ niutil -createprop . /services/kpasswd name kpasswd kpwd
     $ niutil -createprop . /services/kpasswd port 761
     $ niutil -createprop . /services/kpasswd protocol tcp
     $ niutil -create . /services/klogin
     $ niutil -createprop . /services/klogin port 543
     $ niutil -createprop . /services/klogin protocol tcp
     $ niutil -create . /services/eklogin
     $ niutil -createprop . /services/eklogin port 2105
     $ niutil -createprop . /services/eklogin protocol tcp
     $ niutil -create . /services/kshell
     $ niutil -createprop . /services/kshell name kshell krcmd
     $ niutil -createprop . /services/kshell port 544
     $ niutil -createprop . /services/kshell protocol tcp
     

In addition to adding services to NetInfo, you must also modify the resolver configuration in NetInfo so that the machine resolves its own hostname as a FQDN (fully qualified domain name). By default, Mac OS X and Mac OS X Server machines query NetInfo to resolve hostnames before falling back to DNS. Because NetInfo has an unqualified name for all the machines in the NetInfo database, the machine's own hostname will resolve to an unqualified name. Kerberos needs a FQDN to look up keys in the machine's keytab file.

Fortunately, you can change the lookupd caching order to query DNS first. Run the following NetInfo commands and reboot the machine:

     $ niutil -create . /locations/lookupd/hosts
     $ niutil -createprop . /locations/lookupd/hosts LookupOrder CacheAgent DNSAgent
      NIAgent NILAgent
     

Once you have rebooted, you can verify that the resolver now behaves correctly. Compile the Kerberos 5 distribution and run:

     $ cd .../src/tests/resolve
     $ ./resolve
     

This will tell you whether or not your machine returns FQDNs on name lookups. If the test still fails, you can also try turning off DNS caching. Run the following commands and reboot:

     $ niutil -create . /locations/lookupd/hosts
     $ niutil -createprop . /locations/lookupd/hosts LookupOrder DNSAgent
      CacheAgent NIAgent NILAgent
     

The remainder of the setup of a Mac OS X client machine or application server should be the same as for other UNIX-based systems.