MIT Information Systems

Macintosh Development

[Home] [About Us] [People] [Information Systems]
[Kerberos for Macintosh] [Applications] [Miscellaneous Documentation]


Kerberos on Mac OS X 10.1 Frequently Asked Questions

The following is a list of frequently asked questions about Kerberos on Mac OS X, both the Kerberos version included with Mac OS X and Kerberos for Macintosh releases. This information is intended to assist users, support staff and developers who use Kerberos on the Macintosh.

This web page contains FAQs for Kerberos on Mac OS X 10.1 only. For links to FAQs for other Mac OS versions, click here.

If you would like to suggest an addition to the FAQ, please send mail to krbdev@mit.edu

Q: What version of Kerberos should I use with Mac OS X 10.1?
A: The latest release of Kerberos for Mac OS X 10.1 is Kerberos for Macintosh 4.0.3. We recommend you install and use KfM 4.0.3 if possible. Mac OS X 10.1 as shipped did include a development version of Kerberos, equivalent to the development release KfM 4.0a18, but we have incorporated many bugfixes and additional features since then into KfM 4.0.3, so KfM 4.0.3 is the preferred Kerberos to use.

However, Kerberos for Macintosh 4.0.3 is not available for download outside of North America. For users outside of North America, you should use the Kerberos included with Mac OS X 10.1, and optionally install the Mac OS X 10.1 Kerberos Extras.

Q: What parts of Kerberos are/are not included with Mac OS X 10.1?
A: The Kerberos included with Mac OS X 10.1 includes the Kerberos framework, command line tools, and a pre-release version of the Kerberos login authenticator. The CFM support libraries and Kerberos management application are not included, but can be obtained by installing Kerberos for Macintosh 4.0.x or the Mac OS X 10.1 Kerberos Extras.

No Kerberos configuration information is included with Mac OS X 10.1 (and only a sample configuration file is included with the Kerberos Extras), you must install a configuration for your site (see below for more info).

Q: How do I configure Kerberos on Mac OS X for my site?
A: You must copy or create a file called edu.mit.Kerberos in your /Library/Preferences directory. The Kerberos configuration information (equivalent to the krb5.conf on other platforms) should be in the data fork of this file. We strongly recommend you read the Kerberos Preferences documentation for more information. (This applies to both the Kerberos included with Mac OS X and Kerberos for Macintosh 4.0.x.)

Q: Eudora, Fetch, and other CFM-based applications won't work with the Mac OS X 10.1 Kerberos. What's wrong?
A: Mac OS X 10.1 Kerberos as shipped does not include CFM support. To use the Mac OS X 10.1 Kerberos with Eudora, Fetch, and other existing CFM-based GUI applications, you should install the full Kerberos for Macintosh 4.0.3 release (for Mac OS X 10.1), which will install the CFM support libraries. See What version of Kerberos should I use with Mac OS X? above.

Q: I installed the Mac OS X Kerberos Extras and now Eudora 5.1 won't work at all. What's up?
A: There is an issue with one of the Eudora plug-ins in Eudora 5.1 that causes this. The best way to fix this is to upgrade to Eudora 5.2 or later.

If you cannot upgrade to Eudora 5.2 or later, do the following to fix this: in the Finder, bring up the Finder contextual menu by control-clicking on the Eudora application icon and select "Show Package Contents". When the window pops up with the Contents folders in it, navigate to the Eudora Stuff folder:

Contents -> MacOS -> Eudora Stuff

and remove the UPPERlower Carbon plug-in (drag it to the desktop or some other storage place). Close up the Eudora contents window and try again, Eudora should now work. Removing this plug-in removes the ability to change the selected text to all lowercase, all uppercase, etc. from the Edit menu in Eudora. This bug will be fixed in a future release of Eudora.

Q: Where is the Kerberos GUI management application?
A: Mac OS X 10.1 as shipped does not include the Kerberos management application. You should either install the full Kerberos for Macintosh 4.0.3 release (recommended) or the Mac OS X 10.1 Kerberos Extras release, both of which will install the CFM support libraries and the Kerberos management application. See "What version of Kerberos should I use with Mac OS X?" above. Mac OS X 10.2 and later ship with the GUI management application included.

Q: Is a Kerberized telnet and/or SSH client available for Mac OS X 10.1?
A: MIT is not aware of any Kerberized telnet or SSH for Mac OS X 10.1. However, Mac OS X 10.2 includes a Kerberized telnet, and Mac OS X 10.3 includes a Kerberized SSH. (The Mac OS X man pages claiming that there is support for Kerberos in SSH and RSH are in error.)

Q: Is there a Kerberized ftp client available for Mac OS X?
A: Yes, Fetch from FetchSoftworks supports both KClient (v4) and GSS connections on Mac OS X when the CFM support libraries are installed. This is the only Kerberized ftp client we are aware of at this time.

Q: Does Kerberos for Macintosh work with Windows Active Directory?
A: Yes, KfM will successfully authenticate against Windows Active Directory acting as a KDC.

Q: I don't see the realm I need in the Edit Favorite Realms dialog in Kerberos management application. How do I add new realms?
A: You need to edit the edu.mit.Kerberos preferences file. See the Kerberos Preferences Documentation for information on how to do this. (If you don't see the realm you need in the pop-up menu in the Kerberos Login dialog, make sure you can't add it using Edit Favorite Realms before editing the Preferences file.)

Q: Can I use Kerberos for Macintosh behind a NAT (Network Address Translation)?
A: In some cases, yes. Kerberos 4 does not support addressless tickets, so no Kerberos 4 or KClient-using application can be made to work behind a NAT. However, Kerberos 5 can be told to use addressless tickets, which will allow Kerberos 5-using applications to work behind a NAT. However, applications that use the GSSAPI and require channel bindings, such as FTP, will still not work. You can enable addressless tickets by adding the following line to the libdefaults section of the edu.mit.Kerberos file:

noaddresses = true

There is no GUI way to enable this feature in Mac OS X 10.1; one is included in Mac OS X 10.3, however.

Q: Will there be a Kerberos system menu and floating window for Mac OS X?
A: Kerberos for Macintosh for Mac OS X includes features similar to these. The dock icon of the Kerberos management application has a key that changes to show your ticket's status, can display the time remaining of the current active user's tickets, and has a pop-up menu for commonly used Kerberos functions.

Q: Is there a list of known bugs for Kerberos for Macintosh 4.0.3 and/or the Mac OS X 10.1 Kerberos release?
A: Yes. See the Known Bugs page.

Q: Can I install a newer release of Kerberos for Macintosh over the Mac OS X 10.1 Kerberos?
A: Yes, you can install Kerberos for Macintosh 4.0.3 over the Mac OS X 10.1 Kerberos, and in fact, we recommend you do so. All later releases of KfM are integral to later versions of Mac OS X, and cannot be installed on Mac OS X 10.1.

Q: How do I enable and use the Kerberos login authenticator in Mac OS X 10.1?
A: See the Login authenticator documentation. There is no UI to enable the authenticator. Additional FAQ's for the authenticator are also on the authenticator documentation page.

Q: How can I uninstall/remove Kerberos for Macintosh?
A: On Mac OS X 10.1, we strongly do not recommend uninstalling Kerberos on Mac OS X, since it is part of the OS. However, if you insist, Kerberos for Macintosh 4.0.x includes an uninstall feature in the installer, which will remove previous versions of KfM for OS X or the OS X 10.1 Kerberos. Also, see the Uninstalling Kerberos for Macintosh on Mac OS X documentation. We advise extreme caution when following these instructions.

Q: Is source code for the Kerberos included with Mac OS X available?
A: Yes, source code for the Kerberos included with the latest release of Mac OS X is available for review from the Apple Darwin Kerberos page. Note that this source reflects a newer version of KfM than the one included in Mac OS X 10.1.

Other Kerberos for Macintosh FAQs


Questions or comments? Send mail to macdev@mit.edu
Last updated on $Date: 2003/11/18 22:02:50 $
Last modified by $Author: smcguire $